Loading ...

Play interactive tourEdit tour

Analysis Report Request For Quotation_pdf.scr

Overview

General Information

Sample Name:Request For Quotation_pdf.scr (renamed file extension from scr to exe)
Analysis ID:339373
MD5:a9125d57b0d4162e7da34d6b8c10836f
SHA1:56bcb534abe3e5111b07b4f502b647fb5584b905
SHA256:4f84f23b927e4a2f6f64d0c824777c1e0edb05f8f83a662ef59617793582cfb6
Tags:AgentTeslascr

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Request For Quotation_pdf.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' MD5: A9125D57B0D4162E7DA34D6B8C10836F)
    • schtasks.exe (PID: 6852 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Request For Quotation_pdf.exe PID: 6644JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Request For Quotation_pdf.exe.64c0000.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' , ParentImage: C:\Users\user\Desktop\Request For Quotation_pdf.exe, ParentProcessId: 6644, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', ProcessId: 6852

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: Request For Quotation_pdf.exe.6644.0.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeReversingLabs: Detection: 26%
                Multi AV Scanner detection for submitted fileShow sources
                Source: Request For Quotation_pdf.exeReversingLabs: Detection: 26%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Request For Quotation_pdf.exeJoe Sandbox ML: detected
                Source: Request For Quotation_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Request For Quotation_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: https://70m3WJPOC5dv7ww.org
                Source: global trafficTCP traffic: 192.168.2.3:49747 -> 77.88.21.158:587
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: global trafficTCP traffic: 192.168.2.3:49747 -> 77.88.21.158:587
                Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://mPTCSt.com
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606237650.0000000002D12000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606128052.0000000002CE0000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606399641.0000000002D44000.00000004.00000001.sdmpString found in binary or memory: https://70m3WJPOC5dv7ww.org
                Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Request For Quotation_pdf.exe
                Source: initial sampleStatic PE information: Filename: Request For Quotation_pdf.exe
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B48BF00_2_00B48BF0
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B427180_2_00B42718
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B453500_2_00B45350
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B4A0B80_2_00B4A0B8
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B4B4E80_2_00B4B4E8
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B444480_2_00B44448
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B45FB00_2_00B45FB0
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B4A7E80_2_00B4A7E8
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_028DC62C0_2_028DC62C
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_028DE8900_2_028DE890
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_028DE8A00_2_028DE8A0
                Source: Request For Quotation_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: FLahHLuGzK.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Request For Quotation_pdf.exe, 00000000.00000002.607460880.0000000003A7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexjKPyntUGvaYvfCkJdXbGEvM.exe4 vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610086375.0000000006210000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.602119236.000000000064E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exeBinary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe
                Source: Request For Quotation_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@1/1
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile created: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\wAUTKAiLyvsCebSuWgxOX
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp91A5.tmpJump to behavior
                Source: Request For Quotation_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Request For Quotation_pdf.exeReversingLabs: Detection: 26%
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile read: C:\Users\user\Desktop\Request For Quotation_pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Request For Quotation_pdf.exe 'C:\Users\user\Desktop\Request For Quotation_pdf.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Request For Quotation_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Request For Quotation_pdf.exeStatic file information: File size 1206272 > 1048576
                Source: Request For Quotation_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: Request For Quotation_pdf.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: FLahHLuGzK.exe.0.dr, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B458F2 pushad ; ret 0_2_00B458F9
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeCode function: 0_2_00B459A0 pushfd ; ret 0_2_00B459E9
                Source: initial sampleStatic PE information: section name: .text entropy: 7.29828241423
                Source: initial sampleStatic PE information: section name: .text entropy: 7.29828241423
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile created: C:\Users\user\AppData\Roaming\FLahHLuGzK.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWindow / User API: threadDelayed 3490Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWindow / User API: threadDelayed 6311Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6648Thread sleep time: -52043s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976Thread sleep count: 3490 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976Thread sleep count: 6311 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972Thread sleep count: 42 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603618561.0000000000E88000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'Jump to behavior
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Users\user\Desktop\Request For Quotation_pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Request For Quotation_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Obfuscated Files or Information2Input Capture1System Information Discovery113Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing11Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion14LSA SecretsVirtualization/Sandbox Evasion14SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection12Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Request For Quotation_pdf.exe26%ReversingLabsWin32.Trojan.Pwsx
                Request For Quotation_pdf.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\FLahHLuGzK.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\FLahHLuGzK.exe26%ReversingLabsWin32.Trojan.Pwsx

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://70m3WJPOC5dv7ww.org0%Avira URL Cloudsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://mPTCSt.com0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                smtp.yandex.ru
                77.88.21.158
                truefalse
                  high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://70m3WJPOC5dv7ww.orgtrue
                  • Avira URL Cloud: safe
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://subca.ocsp-certum.com0.Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://repository.certum.pl/ca.cer09Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                    high
                    http://127.0.0.1:HTTP/1.1Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://DynDns.comDynDNSRequest For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://repository.certum.pl/ctnca.cer09Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                      high
                      http://crls.yandex.net/certum/ycasha2.crl0-Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                        high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRequest For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://crl.certum.pl/ctnca.crl0kRequest For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                          high
                          http://subca.ocsp-certum.com01Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://yandex.crl.certum.pl/ycasha2.crl0qRequest For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                            high
                            http://crl.certum.pl/ca.crl0hRequest For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                              high
                              https://www.certum.pl/CPS0Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                                high
                                http://mPTCSt.comRequest For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRequest For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmpfalse
                                  high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRequest For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.certum.pl/CPS0Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                                    high
                                    http://yandex.ocsp-responder.com03Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://repository.certum.pl/ycasha2.cer0Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmpfalse
                                      high

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      77.88.21.158
                                      unknownRussian Federation
                                      13238YANDEXRUfalse

                                      General Information

                                      Joe Sandbox Version:31.0.0 Red Diamond
                                      Analysis ID:339373
                                      Start date:13.01.2021
                                      Start time:21:51:41
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 7m 57s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:Request For Quotation_pdf.scr (renamed file extension from scr to exe)
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:31
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@4/4@1/1
                                      EGA Information:Failed
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 11
                                      • Number of non-executed functions: 8
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83, 13.64.90.137, 168.61.161.212, 23.210.248.85, 51.104.139.180, 92.122.213.247, 92.122.213.194, 8.248.149.254, 8.253.95.249, 8.253.204.121, 67.26.75.254, 67.26.137.254, 20.54.26.129, 84.53.167.113, 51.103.5.186, 51.132.208.181, 52.155.217.156
                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339373/sample/Request For Quotation_pdf.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      21:52:41API Interceptor1084x Sleep call for process: Request For Quotation_pdf.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      77.88.21.158SWIFT HKEB0C01725410-T02.zip.exeGet hashmaliciousBrowse
                                        RFQ#675568PL_pdf.exeGet hashmaliciousBrowse
                                          Quote ROE-127488-MU.exeGet hashmaliciousBrowse
                                            Purchase order.exeGet hashmaliciousBrowse
                                              Request For Quotation GH67511_pdf.exeGet hashmaliciousBrowse
                                                swiftcopy001#pdf.exeGet hashmaliciousBrowse
                                                  Payment Receipt.exeGet hashmaliciousBrowse
                                                    TT Copy_pdf.exeGet hashmaliciousBrowse
                                                      PO-98766.exeGet hashmaliciousBrowse
                                                        Original_Copies.exeGet hashmaliciousBrowse
                                                          Purchase order001#pdf.exeGet hashmaliciousBrowse
                                                            Product Catalogue List. docs.exeGet hashmaliciousBrowse
                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                Product Catalogue.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Trojan.GenericKD.35832395.5304.exeGet hashmaliciousBrowse
                                                                    iuu4DJ67MC.exeGet hashmaliciousBrowse
                                                                      Order 539.exeGet hashmaliciousBrowse
                                                                        3yoE6lNVNy.exeGet hashmaliciousBrowse
                                                                          SWIFT COPY AMOUNT OF US 49.676,30 FOR SMX022-10-20 DATED 23122020.xlsxGet hashmaliciousBrowse
                                                                            yuag0m1Xh7.exeGet hashmaliciousBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              smtp.yandex.ruSWIFT HKEB0C01725410-T02.zip.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              RFQ#675568PL_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Quote ROE-127488-MU.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Purchase order.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Request For Quotation GH67511_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              swiftcopy001#pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              TT Copy_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              PO-98766.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Original_Copies.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Purchase order001#pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Product Catalogue List. docs.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Product Catalogue.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              SecuriteInfo.com.Trojan.GenericKD.35832395.5304.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              iuu4DJ67MC.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Order 539.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              3yoE6lNVNy.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              SWIFT COPY AMOUNT OF US 49.676,30 FOR SMX022-10-20 DATED 23122020.xlsxGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              yuag0m1Xh7.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              YANDEXRUSWIFT HKEB0C01725410-T02.zip.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              RFQ#675568PL_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Quote ROE-127488-MU.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Purchase order.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Request For Quotation GH67511_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              swiftcopy001#pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              TT Copy_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              PO-98766.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Original_Copies.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              http://ovd.ru/forum/register.php?a=act&u=84666&i=25545989Get hashmaliciousBrowse
                                                                              • 87.250.250.36
                                                                              http://mainfreight-6452496282.eritro.ir/retailer.php?ikpah=Z2lvdmFuYS50YWJhcmluaUBtYWluZnJlaWdodC5jb20=Get hashmaliciousBrowse
                                                                              • 87.250.250.119
                                                                              Purchase order001#pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Product Catalogue List. docs.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              http://iaaoaot.angelx97.xyz/OCFAheVlOOWYzT2RoWDEvaFEGet hashmaliciousBrowse
                                                                              • 87.250.251.119
                                                                              lZVNh1BPxm.exeGet hashmaliciousBrowse
                                                                              • 87.250.250.22
                                                                              qG5E4q8Cv5.exeGet hashmaliciousBrowse
                                                                              • 87.250.250.22
                                                                              http://browsermine.comGet hashmaliciousBrowse
                                                                              • 77.88.21.119
                                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Product Catalogue.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\tmp91A5.tmp
                                                                              Process:C:\Users\user\Desktop\Request For Quotation_pdf.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1643
                                                                              Entropy (8bit):5.193980191585194
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbh47TlNQ//rydbz9I3YODOLNdq3n
                                                                              MD5:C27284C9952E79A82CEE03B348A03192
                                                                              SHA1:96E60BEA3998F19646082C48AB3FB0AAAAB4AEB6
                                                                              SHA-256:621CC8F055B4E0294DB250611782A694C2EA00AED46F3BD23CABE04A8231EB12
                                                                              SHA-512:13F16F1AEF62D2ECFD3C15EEB167875351FC30CA35C503839998444E37CDBE767FFD2A2C5814EAF06F52F7C4E48377517E2BB4DAFEE11C389B81040EF283ED51
                                                                              Malicious:true
                                                                              Reputation:low
                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                              C:\Users\user\AppData\Roaming\FLahHLuGzK.exe
                                                                              Process:C:\Users\user\Desktop\Request For Quotation_pdf.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1206272
                                                                              Entropy (8bit):6.475210120171716
                                                                              Encrypted:false
                                                                              SSDEEP:12288:Tk3i7spOXX0muTKVzRaLrXOa/lcCgTZX8naDUf+h6a9Env:p+OeSaH+atcCKZIzP
                                                                              MD5:A9125D57B0D4162E7DA34D6B8C10836F
                                                                              SHA1:56BCB534ABE3E5111B07B4F502B647FB5584B905
                                                                              SHA-256:4F84F23B927E4A2F6F64D0C824777C1E0EDB05F8F83A662EF59617793582CFB6
                                                                              SHA-512:430731A8792D27FAC18BE517BB200A514CC8B7D72E90D0BDFCD630BA85600C46633F13B3499EEA0993573122C07DD5015FC2318B7E13DBED9495222822D6930D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                              Reputation:low
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............f..............@..B........................H.......<X.............$.................................................(....*&..(.....*.s ........s!........s"........s#........s$........*...0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*&..(*....*...0..<........~.....(+.....,!r...p.....(,...o-...s.............~.....+..*.0...........~.....+..*".......*.0...........(....r=..p~....o/....+..*...0..<........~.....(+.....,!rG..p.....(,
                                                                              C:\Users\user\AppData\Roaming\FLahHLuGzK.exe:Zone.Identifier
                                                                              Process:C:\Users\user\Desktop\Request For Quotation_pdf.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                              C:\Users\user\AppData\Roaming\qxsok1rs.4ec\Chrome\Default\Cookies
                                                                              Process:C:\Users\user\Desktop\Request For Quotation_pdf.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                              Category:modified
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.6970840431455908
                                                                              Encrypted:false
                                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                              MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                              SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                              SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                              SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):6.475210120171716
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:Request For Quotation_pdf.exe
                                                                              File size:1206272
                                                                              MD5:a9125d57b0d4162e7da34d6b8c10836f
                                                                              SHA1:56bcb534abe3e5111b07b4f502b647fb5584b905
                                                                              SHA256:4f84f23b927e4a2f6f64d0c824777c1e0edb05f8f83a662ef59617793582cfb6
                                                                              SHA512:430731a8792d27fac18be517bb200a514cc8b7d72e90d0bdfcd630ba85600c46633f13b3499eea0993573122c07dd5015fc2318b7e13dbed9495222822d6930d
                                                                              SSDEEP:12288:Tk3i7spOXX0muTKVzRaLrXOa/lcCgTZX8naDUf+h6a9Env:p+OeSaH+atcCKZIzP
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.................. ........@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:3cfcc4dcfcdcf4c4

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4cd5f6
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                              Time Stamp:0x5FFEC78E [Wed Jan 13 10:12:30 2021 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:v4.0.30319
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xcd5a40x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x5ad04.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xcb5fc0xcb600False0.694828720421data7.29828241423IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xce0000x5ad040x5ae00False0.031467610901data2.76557267543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x12a0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_ICON0xce2200x42028dBase III DBT, version number 0, next free block index 40
                                                                              RT_ICON0x1102480x468GLS_BINARY_LSB_FIRST
                                                                              RT_ICON0x1106b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                              RT_ICON0x112c580x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                              RT_ICON0x113d000x10828dBase III DBT, version number 0, next free block index 40
                                                                              RT_ICON0x1245280x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                              RT_GROUP_ICON0x1287500x5adata
                                                                              RT_VERSION0x1287ac0x36cdata
                                                                              RT_MANIFEST0x128b180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              LegalCopyrightCopyright 2011
                                                                              Assembly Version1.0.0.0
                                                                              InternalNameCompletionActionInvoker.exe
                                                                              FileVersion1.0.0.0
                                                                              CompanyName
                                                                              LegalTrademarks
                                                                              Comments
                                                                              ProductNameFileReplacement
                                                                              ProductVersion1.0.0.0
                                                                              FileDescriptionFileReplacement
                                                                              OriginalFilenameCompletionActionInvoker.exe

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 13, 2021 21:54:16.140419960 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.234174013 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.234333992 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.429976940 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.430802107 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.524565935 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.524590015 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.525309086 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.618880033 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.666510105 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.681868076 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.776935101 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.776972055 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.776998043 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.777019024 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.777072906 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.777156115 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.825010061 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.918986082 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:16.963412046 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:16.980113029 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.074919939 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.077862978 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.171621084 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.173211098 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.283544064 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.285033941 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.386183977 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.386729002 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.488045931 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.489068985 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.582864046 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.586572886 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.587012053 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.587766886 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.588051081 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:17.680660963 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:17.681606054 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.115304947 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.166568041 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:18.556735039 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:18.650461912 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.650487900 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.650566101 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:18.663522005 CET49747587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:18.664649963 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:18.757010937 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.757086992 CET5874974777.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.757102966 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:18.922470093 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:18.922744036 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.015113115 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.015132904 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.015640020 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.108129978 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.108654976 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.202399015 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.202441931 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.202467918 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.202488899 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.202560902 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.202694893 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.206944942 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.299706936 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.303919077 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.397281885 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.397789955 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.491343975 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.492532015 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.603725910 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.604460955 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.704807997 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.705328941 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.805012941 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.809865952 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.903364897 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.904927969 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905071974 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905189991 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905313969 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905492067 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905590057 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905677080 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.905762911 CET49748587192.168.2.377.88.21.158
                                                                              Jan 13, 2021 21:54:19.998595953 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:19.999022961 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:20.039907932 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:20.391532898 CET5874974877.88.21.158192.168.2.3
                                                                              Jan 13, 2021 21:54:20.432727098 CET49748587192.168.2.377.88.21.158

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 13, 2021 21:52:30.341128111 CET6010053192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:30.391957998 CET53601008.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:31.117417097 CET5319553192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:31.165441036 CET53531958.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:31.888267994 CET5014153192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:31.947860003 CET53501418.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:33.057636976 CET5302353192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:33.121685028 CET53530238.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:33.902951002 CET4956353192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:33.950781107 CET53495638.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:34.803869009 CET5135253192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:34.851890087 CET53513528.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:35.712589025 CET5934953192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:35.760587931 CET53593498.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:36.822915077 CET5708453192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:36.870805025 CET53570848.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:37.964888096 CET5882353192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:38.012837887 CET53588238.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:39.130528927 CET5756853192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:39.178371906 CET53575688.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:40.316240072 CET5054053192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:40.367026091 CET53505408.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:52:58.632570028 CET5436653192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:52:58.690195084 CET53543668.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:00.592031002 CET5303453192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:00.639974117 CET53530348.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:05.732527971 CET5776253192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:05.790543079 CET53577628.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:19.036228895 CET5543553192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:19.094764948 CET53554358.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:20.094482899 CET5071353192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:20.161669970 CET53507138.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:20.266303062 CET5613253192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:20.278212070 CET5898753192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:20.326759100 CET53561328.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:20.344448090 CET53589878.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:53:23.654299974 CET5657953192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:53:23.710993052 CET53565798.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:54:03.916651964 CET6063353192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:54:03.964550018 CET53606338.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:54:04.368026972 CET6129253192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:54:04.432178974 CET53612928.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:54:16.062416077 CET6361953192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:54:16.118700027 CET53636198.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:54:24.146873951 CET6493853192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:54:24.194705963 CET53649388.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:17.542475939 CET6194653192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:17.601933002 CET53619468.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:18.298346043 CET6491053192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:18.354852915 CET53649108.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:19.150937080 CET5212353192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:19.201879025 CET53521238.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:20.081162930 CET5613053192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:20.145354033 CET53561308.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:23.096648932 CET5633853192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:23.156980991 CET53563388.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:26.835577965 CET5942053192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:26.891942024 CET53594208.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:27.761446953 CET5878453192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:27.817890882 CET53587848.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:28.943160057 CET6397853192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:28.999450922 CET53639788.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:30.158791065 CET6293853192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:30.209395885 CET53629388.8.8.8192.168.2.3
                                                                              Jan 13, 2021 21:55:30.678241968 CET5570853192.168.2.38.8.8.8
                                                                              Jan 13, 2021 21:55:30.734525919 CET53557088.8.8.8192.168.2.3

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Jan 13, 2021 21:54:16.062416077 CET192.168.2.38.8.8.80xc0c8Standard query (0)smtp.yandex.ruA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Jan 13, 2021 21:54:16.118700027 CET8.8.8.8192.168.2.30xc0c8No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Jan 13, 2021 21:54:16.429976940 CET5874974777.88.21.158192.168.2.3220 vla1-0125c0e65a03.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                              Jan 13, 2021 21:54:16.430802107 CET49747587192.168.2.377.88.21.158EHLO 571345
                                                                              Jan 13, 2021 21:54:16.524590015 CET5874974777.88.21.158192.168.2.3250-vla1-0125c0e65a03.qloud-c.yandex.net
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-SIZE 42991616
                                                                              250-STARTTLS
                                                                              250-AUTH LOGIN PLAIN XOAUTH2
                                                                              250-DSN
                                                                              250 ENHANCEDSTATUSCODES
                                                                              Jan 13, 2021 21:54:16.525309086 CET49747587192.168.2.377.88.21.158STARTTLS
                                                                              Jan 13, 2021 21:54:16.618880033 CET5874974777.88.21.158192.168.2.3220 Go ahead
                                                                              Jan 13, 2021 21:54:18.922470093 CET5874974877.88.21.158192.168.2.3220 vla3-3dd1bd6927b2.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                              Jan 13, 2021 21:54:18.922744036 CET49748587192.168.2.377.88.21.158EHLO 571345
                                                                              Jan 13, 2021 21:54:19.015132904 CET5874974877.88.21.158192.168.2.3250-vla3-3dd1bd6927b2.qloud-c.yandex.net
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-SIZE 42991616
                                                                              250-STARTTLS
                                                                              250-AUTH LOGIN PLAIN XOAUTH2
                                                                              250-DSN
                                                                              250 ENHANCEDSTATUSCODES
                                                                              Jan 13, 2021 21:54:19.015640020 CET49748587192.168.2.377.88.21.158STARTTLS
                                                                              Jan 13, 2021 21:54:19.108129978 CET5874974877.88.21.158192.168.2.3220 Go ahead

                                                                              Code Manipulations

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Start time:21:52:35
                                                                              Start date:13/01/2021
                                                                              Path:C:\Users\user\Desktop\Request For Quotation_pdf.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\Request For Quotation_pdf.exe'
                                                                              Imagebase:0x540000
                                                                              File size:1206272 bytes
                                                                              MD5 hash:A9125D57B0D4162E7DA34D6B8C10836F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              General

                                                                              Start time:21:52:43
                                                                              Start date:13/01/2021
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp'
                                                                              Imagebase:0x11a0000
                                                                              File size:185856 bytes
                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Start time:21:52:43
                                                                              Start date:13/01/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6b2800000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: db472128a54071180fb916019c17c4695263cafc42e458dbd82842c9dcc54817
                                                                                • Instruction ID: c72a9a76147dc8bb885a0d734ad6d89363f35797af4a1380b6cc373b12bdfa6e
                                                                                • Opcode Fuzzy Hash: db472128a54071180fb916019c17c4695263cafc42e458dbd82842c9dcc54817
                                                                                • Instruction Fuzzy Hash: B6722C30E006188FCB15EF78C8556DEBBF5AF89304F2085A9D54AAB751EF30AE85CB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 553be8b08ede12a1f708aa3c4b94c47cf36f55a827939dc3ee1967d77338ad34
                                                                                • Instruction ID: 5ac907e7fda0d6d05703b2b1e291d3238e2798409beb7ca0d50754fbdf6f9acb
                                                                                • Opcode Fuzzy Hash: 553be8b08ede12a1f708aa3c4b94c47cf36f55a827939dc3ee1967d77338ad34
                                                                                • Instruction Fuzzy Hash: 10125D34A002089FDB14EFB4D8597ADBBB6EF88304F608869E505EB395DF34AD45DB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 070690b0b9d41cf93dbe558e5fefc179a98449637b4b2c4197345dcc852c65b8
                                                                                • Instruction ID: 59110168c385f1b6f99bbd18489a0acb5e89b1c2ed4b28191a4cb7e340ef6b1f
                                                                                • Opcode Fuzzy Hash: 070690b0b9d41cf93dbe558e5fefc179a98449637b4b2c4197345dcc852c65b8
                                                                                • Instruction Fuzzy Hash: 66F17070F006149FCB14DFB8C8446ADBBF2AF88314F248669E515EB396DB34ED469B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 028DBB48
                                                                                • GetCurrentThread.KERNEL32 ref: 028DBB85
                                                                                • GetCurrentProcess.KERNEL32 ref: 028DBBC2
                                                                                • GetCurrentThreadId.KERNEL32 ref: 028DBC1B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: d587bda28e9e81b9a5a5877b362f5e5a028349fb194caf2e30f1e31fc4af7813
                                                                                • Instruction ID: 7f10530d6d8f99af30ec2f2931058e0fbedc5cb8f9ee5b72da6bc8402d45e16d
                                                                                • Opcode Fuzzy Hash: d587bda28e9e81b9a5a5877b362f5e5a028349fb194caf2e30f1e31fc4af7813
                                                                                • Instruction Fuzzy Hash: 815177B4E047488FDB14CFA9D6887EEBBF1EF48318F208459D409A73A0D7746849CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 028DBB48
                                                                                • GetCurrentThread.KERNEL32 ref: 028DBB85
                                                                                • GetCurrentProcess.KERNEL32 ref: 028DBBC2
                                                                                • GetCurrentThreadId.KERNEL32 ref: 028DBC1B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 37d8353fe903aba0b87f6f95d7182aa723bb58c5c6aaf7cd2628eb87b81c950b
                                                                                • Instruction ID: 532419153d3254ae5feb5aa455cb2dd18e07f881b430fb725dbe34a9bd7635bd
                                                                                • Opcode Fuzzy Hash: 37d8353fe903aba0b87f6f95d7182aa723bb58c5c6aaf7cd2628eb87b81c950b
                                                                                • Instruction Fuzzy Hash: 095158B4E047498FDB14CFA9D6887AEBBF1EF48318F208459D509A7390DB745848CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 028D9A36
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 1a977edc3cb923e7fbae6702ce6a975d30256bebc231ffe9510d9890a6d143eb
                                                                                • Instruction ID: c591320fd6dc607799465c5f8837952fa68df4e59851f6509e8176b79ed16781
                                                                                • Opcode Fuzzy Hash: 1a977edc3cb923e7fbae6702ce6a975d30256bebc231ffe9510d9890a6d143eb
                                                                                • Instruction Fuzzy Hash: 40712478A00B058FDB24DF6AD44079AB7F1FF88614F10892ED44AD7A40DB75E909CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00B48B69
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: aebc605e27ceae87e810af8c8b6727717dfccd86762440f24611ec087e32ff8b
                                                                                • Instruction ID: 14ae45b932630aff2c72c4aa777d8686464f52dbebafc75b6051791dcff0fa77
                                                                                • Opcode Fuzzy Hash: aebc605e27ceae87e810af8c8b6727717dfccd86762440f24611ec087e32ff8b
                                                                                • Instruction Fuzzy Hash: 324139B1E042589FCB10CFA9D884A9EBFF5EF48304F14846AE819AB351DB759905CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00B48B69
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: f3bb37245559d98f7ff27f45b0b627a72f605f03f9c2588486c9cb4a8b9252f4
                                                                                • Instruction ID: cb2cd401dfd8b9be5e54cdea15403b6507ab3e71aaf0f8bb9a9f84f8ecf76df3
                                                                                • Opcode Fuzzy Hash: f3bb37245559d98f7ff27f45b0b627a72f605f03f9c2588486c9cb4a8b9252f4
                                                                                • Instruction Fuzzy Hash: 4D31FFB1D002589FCB10CF9AC984A9EBBF5FF48750F14816AE819AB310DB71A905CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028DBD97
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: e2547e66251917e1d030a6448cfaa40dfb46f834166a4f94db4c2bef515665e0
                                                                                • Instruction ID: b693b681b4346cd1d880483c9aaca0565642b9297f077f5dfb86671696bfb8ad
                                                                                • Opcode Fuzzy Hash: e2547e66251917e1d030a6448cfaa40dfb46f834166a4f94db4c2bef515665e0
                                                                                • Instruction Fuzzy Hash: 5821C4B59042089FDF10CF9AD984ADEBBF4EB48324F15841AE918E7310D778A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028D9AB1,00000800,00000000,00000000), ref: 028D9CC2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: d4cb3786aae4951378ea08543dbd3135fcef3f4635487dde9c53f9bcf387fd3a
                                                                                • Instruction ID: 95c1c75f9e98f41dddbe79b3b6c90fd2c463b0fc1a0b7875b7e0ef9846b21875
                                                                                • Opcode Fuzzy Hash: d4cb3786aae4951378ea08543dbd3135fcef3f4635487dde9c53f9bcf387fd3a
                                                                                • Instruction Fuzzy Hash: DB1114BA904208CFDB10CF9AD444BEEFBF4EB88324F14842AD519A7600C775A949CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 028D9A36
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: b05c7001179b742bd76679dd09a978e12a6e4a649a8181eb754cf44e9210e0cc
                                                                                • Instruction ID: 6641f94a329ef4a0b21b72cba15b6a335230589eb380f77599422a7df677456c
                                                                                • Opcode Fuzzy Hash: b05c7001179b742bd76679dd09a978e12a6e4a649a8181eb754cf44e9210e0cc
                                                                                • Instruction Fuzzy Hash: 6911E0BAD046498FCB10CF9AD444BDEFBF4AB88324F15851AD829B7600D778A549CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f01667f5e949cdbe2d1f0167336377330327fc85490f18ae2b3cd035fcd1cc85
                                                                                • Instruction ID: 1cd53b8fe2543b4cdd218097ecdd2bc0c9e2467a883146f30e43d733578afd86
                                                                                • Opcode Fuzzy Hash: f01667f5e949cdbe2d1f0167336377330327fc85490f18ae2b3cd035fcd1cc85
                                                                                • Instruction Fuzzy Hash: 5CD2BD30B013588FD714EB78C8597AE7BF6AB85304F2484A9E509EB386DF34DD468B61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5132e04d8b1f7059ad479a0eed0186b10dab980b7171f047e199fddb5689602
                                                                                • Instruction ID: 824dbd573f5afd600ce7e296c2c9a12cfdacd49ef3394cdb9fd2bdcc75d6e656
                                                                                • Opcode Fuzzy Hash: c5132e04d8b1f7059ad479a0eed0186b10dab980b7171f047e199fddb5689602
                                                                                • Instruction Fuzzy Hash: 55726D30A002148FCB15AB74D859BADBBB7EF89304F1485A9E50ADB395DF34AD428F61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2a0a312ca8a10d69ae8dbbe56e0685ce2a52e182d6e0340ac5ca650d67cb9842
                                                                                • Instruction ID: 7f98cccb5480c9c547a32eda32bd3bde9675b74afd191029e6541997a6d146f5
                                                                                • Opcode Fuzzy Hash: 2a0a312ca8a10d69ae8dbbe56e0685ce2a52e182d6e0340ac5ca650d67cb9842
                                                                                • Instruction Fuzzy Hash: BA029E307493858FD702977898247AA7FF69F47304F1A80E7E584DF2E3E6299D068762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 542696e48d9ba91b954a280a19e65be10fe64733578e3eb558434368d5870eec
                                                                                • Instruction ID: 6fe31bf7f40353563ce497644ae09b8b6cca51c310390b4f48ac778df50c53e4
                                                                                • Opcode Fuzzy Hash: 542696e48d9ba91b954a280a19e65be10fe64733578e3eb558434368d5870eec
                                                                                • Instruction Fuzzy Hash: 70023D34A002188FDB24EBB9C8557ADBBF6BF88304F2084A9D509DB795DF349D46DB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 56f449b96d18ec5a9a52183376126bee7b0b29dd775b4f26af7e7d047845d0b7
                                                                                • Instruction ID: 1f85289a2c2253d3daf1c7ad35504145e55c90cbb310d429ccae347004832c46
                                                                                • Opcode Fuzzy Hash: 56f449b96d18ec5a9a52183376126bee7b0b29dd775b4f26af7e7d047845d0b7
                                                                                • Instruction Fuzzy Hash: E212B5B5421F46CAD318DF65FCC82893BA1F755728B904308D2619BBF8D7B8254ACFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.602669208.0000000000B40000.00000040.00000001.sdmp, Offset: 00B40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f93ad22023dd2f18958e6d414fa9af269548b762f0f3e345b9dac39006bf0d4b
                                                                                • Instruction ID: 730741de626c4de84d5fe9899b158c3cf7ea25c5dfc25c64cfef377597360bd7
                                                                                • Opcode Fuzzy Hash: f93ad22023dd2f18958e6d414fa9af269548b762f0f3e345b9dac39006bf0d4b
                                                                                • Instruction Fuzzy Hash: DB91B130B002145FDB54ABB9D859BAE77EBEF88704F208828E502DB384DF74DE0587A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: de127f1b013bdf2a0a4704f755098322fcd6afc48553879e11695519b54930a2
                                                                                • Instruction ID: fb444e7625bc73e3ce725c6a067f5960883a58ce88992e2c9617ef4cd2d71c8e
                                                                                • Opcode Fuzzy Hash: de127f1b013bdf2a0a4704f755098322fcd6afc48553879e11695519b54930a2
                                                                                • Instruction Fuzzy Hash: 83A15E3AE00219CFCF15DFB9C8445AEBBB2FF85304B15856AE805EB221DB71A959CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.603983349.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 061b27857582edda3d65e809f7fca023d0ffbeb5905ecd84f5b4830221661975
                                                                                • Instruction ID: 404871e8aa1c24b479001d69d00f84118176f95bc2a3bd137458d5211bf482bc
                                                                                • Opcode Fuzzy Hash: 061b27857582edda3d65e809f7fca023d0ffbeb5905ecd84f5b4830221661975
                                                                                • Instruction Fuzzy Hash: 3CC12AB5821B46CAD714DF65FCC81893BB1FB85328F514318D161AB7E8D7B8244ACFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%