Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Zapytanie -20216470859302.exe

Overview

General Information

Sample Name:Zapytanie -20216470859302.exe
Analysis ID:358341
MD5:d78bcccfe9e8e96d75e488dab97ba56f
SHA1:d4b2f340c8df782c4ebac3a3dabaab9db19aa28e
SHA256:3832cbc966b60610c0452b4bfca9648126d7ab20fcd29a413a1b5f88abf7e685
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "comercial@fil-net.comFil-2020net+smtp.fil-net.comgreendogman@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000003.00000002.897336626.0000000002B96000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Zapytanie -20216470859302.exe.43bca80.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.Zapytanie -20216470859302.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Zapytanie -20216470859302.exe.43bca80.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Zapytanie -20216470859302.exe.3169490.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    0.2.Zapytanie -20216470859302.exe.42643b0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.Zapytanie -20216470859302.exe.42643b0.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "comercial@fil-net.comFil-2020net+smtp.fil-net.comgreendogman@yandex.com"}
                      Machine Learning detection for sampleShow sources
                      Source: Zapytanie -20216470859302.exeJoe Sandbox ML: detected
                      Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Zapytanie -20216470859302.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses secure TLS version for HTTPS connectionsShow sources
                      Source: unknownHTTPS traffic detected: 50.19.252.36:443 -> 192.168.2.4:49761 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Zapytanie -20216470859302.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_062E24E8
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_062E24D8
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_062E21D0

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 46.16.61.250:587
                      Source: Joe Sandbox ViewIP Address: 50.19.252.36 50.19.252.36
                      Source: Joe Sandbox ViewIP Address: 50.19.252.36 50.19.252.36
                      Source: Joe Sandbox ViewASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 46.16.61.250:587
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.900549612.00000000068C1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897520193.0000000002D95000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.897579753.0000000002DFB000.00000004.00000001.sdmpString found in binary or memory: http://hqFkeHOniWF1AKH.org
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0%
                      Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897562623.0000000002DE9000.00000004.00000001.sdmpString found in binary or memory: http://smtp.fil-net.com
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://umWsex.com
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownHTTPS traffic detected: 50.19.252.36:443 -> 192.168.2.4:49761 version: TLS 1.2
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638710880.00000000014B8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b90458A73u002d8324u002d4E56u002d8BE3u002d2A7ADB55DB6Bu007d/u0034305A58Eu002dD76Eu002d4574u002d8A32u002dFA9D5665EC26.csLarge array initialization: .cctor: array initializer size 12012
                      .NET source code contains very large stringsShow sources
                      Source: Zapytanie -20216470859302.exe, frmSplashScreen.csLong String: Length: 13656
                      Source: 0.0.Zapytanie -20216470859302.exe.ce0000.0.unpack, frmSplashScreen.csLong String: Length: 13656
                      Source: 0.2.Zapytanie -20216470859302.exe.ce0000.0.unpack, frmSplashScreen.csLong String: Length: 13656
                      Source: 2.0.Zapytanie -20216470859302.exe.210000.0.unpack, frmSplashScreen.csLong String: Length: 13656
                      Source: 2.2.Zapytanie -20216470859302.exe.210000.0.unpack, frmSplashScreen.csLong String: Length: 13656
                      Source: 3.2.Zapytanie -20216470859302.exe.710000.1.unpack, frmSplashScreen.csLong String: Length: 13656
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_00CE20500_2_00CE2050
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_0175C2A80_2_0175C2A8
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_0175AB340_2_0175AB34
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_062E00400_2_062E0040
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_062E10C00_2_062E10C0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_062E2CE80_2_062E2CE8
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_062E00060_2_062E0006
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 2_2_002120502_2_00212050
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068ED9603_3_068ED960
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_2_007120503_2_00712050
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_2_011047A03_2_011047A0
                      Source: Zapytanie -20216470859302.exeBinary or memory string: OriginalFilename vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefRoJCrdovlLLQXIyIMxNDkclBC.exe4 vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638710880.00000000014B8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000000.00000000.631772952.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exeBinary or memory string: OriginalFilename vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000002.00000000.636391918.0000000000212000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exeBinary or memory string: OriginalFilename vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefRoJCrdovlLLQXIyIMxNDkclBC.exe4 vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.900342702.0000000006380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000003.00000000.637339059.0000000000712000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.898747710.00000000050C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.896484624.0000000000B68000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.900399923.00000000063F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exeBinary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe
                      Source: Zapytanie -20216470859302.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Zapytanie -20216470859302.exe, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.Zapytanie -20216470859302.exe.ce0000.0.unpack, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.Zapytanie -20216470859302.exe.ce0000.0.unpack, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 2.0.Zapytanie -20216470859302.exe.210000.0.unpack, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 2.2.Zapytanie -20216470859302.exe.210000.0.unpack, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 3.2.Zapytanie -20216470859302.exe.710000.1.unpack, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@3/2
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zapytanie -20216470859302.exe.logJump to behavior
                      Source: Zapytanie -20216470859302.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: unknownProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe 'C:\Users\user\Desktop\Zapytanie -20216470859302.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe C:\Users\user\Desktop\Zapytanie -20216470859302.exeJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe C:\Users\user\Desktop\Zapytanie -20216470859302.exeJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Zapytanie -20216470859302.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Zapytanie -20216470859302.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 0_2_0175FCC8 pushad ; ret 0_2_0175FCD5
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEEDD push esi; retf 3_3_068EEEE0
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_3_068EEA5F push FFFFFFDBh; iretd 3_3_068EEA70
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_2_010AD95C push eax; ret 3_2_010AD95D
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeCode function: 3_2_010AE28A push eax; ret 3_2_010AE349
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.04403156947
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Zapytanie -20216470859302.exe PID: 7112, type: MEMORY
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.3169490.1.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWindow / User API: threadDelayed 1351Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWindow / User API: threadDelayed 8444Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe TID: 7116Thread sleep time: -104784s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe TID: 7144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe TID: 5880Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe TID: 6064Thread sleep count: 1351 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe TID: 6064Thread sleep count: 8444 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe TID: 5880Thread sleep count: 44 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe C:\Users\user\Desktop\Zapytanie -20216470859302.exeJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeProcess created: C:\Users\user\Desktop\Zapytanie -20216470859302.exe C:\Users\user\Desktop\Zapytanie -20216470859302.exeJump to behavior
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897095034.0000000001590000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897095034.0000000001590000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897095034.0000000001590000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Zapytanie -20216470859302.exe, 00000003.00000002.897095034.0000000001590000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Users\user\Desktop\Zapytanie -20216470859302.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Users\user\Desktop\Zapytanie -20216470859302.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.897336626.0000000002B96000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Zapytanie -20216470859302.exe PID: 6340, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Zapytanie -20216470859302.exe PID: 7112, type: MEMORY
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.43bca80.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.43bca80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.42643b0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.42bf9d0.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Zapytanie -20216470859302.exe PID: 6340, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.897336626.0000000002B96000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Zapytanie -20216470859302.exe PID: 6340, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Zapytanie -20216470859302.exe PID: 7112, type: MEMORY
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.43bca80.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.43bca80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.42643b0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Zapytanie -20216470859302.exe.42bf9d0.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Input Capture1Security Software Discovery211Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information31Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Zapytanie -20216470859302.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.Zapytanie -20216470859302.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://hqFkeHOniWF1AKH.org0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://umWsex.com0%Avira URL Cloudsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://smtp.fil-net.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://r3.i.lencr.org/0%0%Avira URL Cloudsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      elb097307-934924932.us-east-1.elb.amazonaws.com
                      		50.19.252.36
                      		truefalse
                        		high
                        smtp.fil-net.com
                        		46.16.61.250
                        		truetrue
                          		unknown
                          api.ipify.org
                          		unknown
                          		unknownfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://hqFkeHOniWF1AKH.orgZapytanie -20216470859302.exe, 00000003.00000002.897520193.0000000002D95000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.897579753.0000000002DFB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.org/Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                              		high
                              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://127.0.0.1:HTTP/1.1Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://api.ipify.orgZapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                		high
                                http://DynDns.comDynDNSZapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://sectigo.com/CPS0Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://umWsex.comZapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.sectigo.com0Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://cps.letsencrypt.org0Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haZapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.org/bot%telegramapi%/Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmpfalse
                                  		high
                                  http://r3.o.lencr.org0Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://smtp.fil-net.comZapytanie -20216470859302.exe, 00000003.00000002.897562623.0000000002DE9000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameZapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xZapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipZapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssZapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmpfalse
                                        		high
                                        http://cps.root-x1.letsencrypt.org0Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://r3.i.lencr.org/0%Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.ipify.orgGETMozilla/5.0Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        46.16.61.250
                                        		unknownSpain
                                        		197712CDMONsistemescdmoncomEStrue
                                        50.19.252.36
                                        		unknownUnited States
                                        		14618AMAZON-AESUSfalse

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:358341
                                        Start date:25.02.2021
                                        Start time:12:43:18
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 9m 5s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:Zapytanie -20216470859302.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:15
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@5/2@3/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 0% (good quality ratio 0%)
                                        • Quality average: 81%
                                        • Quality standard deviation: 0%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 35
                                        • Number of non-executed functions: 5
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.43.139.144, 13.88.21.125, 13.64.90.137, 104.43.193.48, 51.104.139.180, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.132.208.181, 92.122.213.247, 92.122.213.194
                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358341/sample/Zapytanie -20216470859302.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        12:44:00API Interceptor778x Sleep call for process: Zapytanie -20216470859302.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        46.16.61.250winlog.exeGet hashmaliciousBrowse
                                          PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                            Nakit Akisi Detaylariniz.exeGet hashmaliciousBrowse
                                              S67xSX1MNR.exeGet hashmaliciousBrowse
                                                50.19.252.36GTS_21_9018_ORDER_pdf.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                Hs52qascx.dllGet hashmaliciousBrowse
                                                • api.ipify.org/?format=xml
                                                0211_38602014674781.docGet hashmaliciousBrowse
                                                • api.ipify.org/?format=xml
                                                W0rd.dllGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                Wh102yYa.dllGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                gHodcQLJM6.exeGet hashmaliciousBrowse
                                                • api.ipify.org/?format=xml
                                                Wh102yYa.dllGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                0112_91448090.docGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                0112_1079750132.docGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                Our New Order Jan 12 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                q8yEckmvk1.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                SecuriteInfo.com.Trojan.PWS.Stealer.29660.11031.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                vAbH6UC7Hy.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                sample.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                BBVA confirming Aviso de pago Eur5780201120.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                G7APZjNv6i.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                InquirySW23020KT.com.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                RFQ.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                E099874321.exeGet hashmaliciousBrowse
                                                • api.ipify.org/
                                                BL21157346500MB6ZE1MA.xls.exeGet hashmaliciousBrowse
                                                • api.ipify.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                elb097307-934924932.us-east-1.elb.amazonaws.com0224_13930141056302.docGet hashmaliciousBrowse
                                                • 54.243.164.148
                                                RFQ- 978002410.exeGet hashmaliciousBrowse
                                                • 23.21.140.41
                                                HblVSJaQa1.exeGet hashmaliciousBrowse
                                                • 54.225.214.197
                                                FspMzSMtYA.exeGet hashmaliciousBrowse
                                                • 23.21.76.253
                                                0224_11959736734789.docGet hashmaliciousBrowse
                                                • 54.225.66.103
                                                New Po #0126733 2021.exeGet hashmaliciousBrowse
                                                • 54.225.129.141
                                                530000.exeGet hashmaliciousBrowse
                                                • 23.21.252.4
                                                MT SC GUANGZHOU.exeGet hashmaliciousBrowse
                                                • 54.221.253.252
                                                MT WOOJIN CHEMS V.2103.exeGet hashmaliciousBrowse
                                                • 54.225.66.103
                                                GTS_21_9018_ORDER_pdf.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                Attach_847148466_1889687887.xlsGet hashmaliciousBrowse
                                                • 54.221.253.252
                                                BANK SWIFT- USD 98,712.00.pdf.exeGet hashmaliciousBrowse
                                                • 23.21.126.66
                                                FAU000000000.exeGet hashmaliciousBrowse
                                                • 54.235.189.250
                                                RkoKlvuLh6.exeGet hashmaliciousBrowse
                                                • 50.19.96.218
                                                i0fOtOV8v0.exeGet hashmaliciousBrowse
                                                • 54.221.253.252
                                                zLyXzE7WZi.exeGet hashmaliciousBrowse
                                                • 50.19.96.218
                                                wLy18x5e2o.exeGet hashmaliciousBrowse
                                                • 54.243.164.148
                                                m32I79J0kJ.exeGet hashmaliciousBrowse
                                                • 54.235.83.248
                                                QJ2UZbJWDS.exeGet hashmaliciousBrowse
                                                • 23.21.76.253
                                                jWtClvtYBb.exeGet hashmaliciousBrowse
                                                • 54.235.83.248
                                                smtp.fil-net.comNakit Akisi Detaylariniz.exeGet hashmaliciousBrowse
                                                • 46.16.61.250

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                AMAZON-AESUSC1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                • 100.24.200.179
                                                C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                • 34.226.34.190
                                                ibne8SNXWv.exeGet hashmaliciousBrowse
                                                • 3.83.18.241
                                                ibne8SNXWv.exeGet hashmaliciousBrowse
                                                • 3.83.18.241
                                                0224_13930141056302.docGet hashmaliciousBrowse
                                                • 50.19.96.218
                                                RFQ- 978002410.exeGet hashmaliciousBrowse
                                                • 23.21.140.41
                                                HblVSJaQa1.exeGet hashmaliciousBrowse
                                                • 54.225.214.197
                                                007.docxGet hashmaliciousBrowse
                                                • 18.209.89.50
                                                007.docxGet hashmaliciousBrowse
                                                • 3.222.126.94
                                                Malone3388_001.htmGet hashmaliciousBrowse
                                                • 100.24.186.63
                                                FspMzSMtYA.exeGet hashmaliciousBrowse
                                                • 23.21.76.253
                                                0224_11959736734789.docGet hashmaliciousBrowse
                                                • 54.225.66.103
                                                New Po #0126733 2021.exeGet hashmaliciousBrowse
                                                • 54.225.129.141
                                                RQP_10378065.exeGet hashmaliciousBrowse
                                                • 3.223.115.185
                                                Price quotation.exeGet hashmaliciousBrowse
                                                • 100.25.237.136
                                                a.exeGet hashmaliciousBrowse
                                                • 34.237.10.189
                                                530000.exeGet hashmaliciousBrowse
                                                • 23.21.252.4
                                                dwg.exeGet hashmaliciousBrowse
                                                • 3.223.115.185
                                                MT SC GUANGZHOU.exeGet hashmaliciousBrowse
                                                • 54.221.253.252
                                                Order List - 022321-xlxs.exeGet hashmaliciousBrowse
                                                • 52.0.217.44
                                                CDMONsistemescdmoncomESnjGJ1eW44wshoMr.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                3nG9LW7Z21dxUoM.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                keeFDE9dhCGNNez.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                74tF1foMeQyUMCh.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                qm7JU84PFgfqvgs.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                winlog.exeGet hashmaliciousBrowse
                                                • 46.16.61.250
                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                • 46.16.61.250
                                                WbGKi8E5OE4eCFG.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                r9SWnqQlK8PFPEp.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                L9oOm9x3I7YZFcA.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                • 134.0.10.35
                                                jKiL1mzTAVltJ30.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                09xcuRN2HJmRRCm.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                57229937-122020-4-7676523.docGet hashmaliciousBrowse
                                                • 185.66.41.128
                                                aLjBjGUvWecwGptNRQryBtRBaVCtO.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                UsU2f18QuIdAe2U.exeGet hashmaliciousBrowse
                                                • 46.16.62.134
                                                Nakit Akisi Detaylariniz.exeGet hashmaliciousBrowse
                                                • 46.16.61.250
                                                Archivo_122020_1977149.docGet hashmaliciousBrowse
                                                • 185.66.41.128
                                                Doc.docGet hashmaliciousBrowse
                                                • 185.66.41.127
                                                JI35907_2020.docGet hashmaliciousBrowse
                                                • 185.66.41.127

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0ekBJlVQuchM.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                Purchase order.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                HblVSJaQa1.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                FspMzSMtYA.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                New Po #0126733 2021.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                530000.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                Bitcoin Mining 2021 Feb.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                MT SC GUANGZHOU.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                MT WOOJIN CHEMS V.2103.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                EOrg2020.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                Bitcoin Mining 2021 Feb.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                AZjP1E0nRZ.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                x0yccMVTIb.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                WHz0D1UERA.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                1i0Bvmiuqg.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                OC 136584.PDF.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                Quote_13940007.exeGet hashmaliciousBrowse
                                                • 50.19.252.36
                                                SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                • 50.19.252.36

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zapytanie -20216470859302.exe.log
                                                Process:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1314
                                                Entropy (8bit):5.350128552078965
                                                Encrypted:false
                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                C:\Users\user\AppData\Roaming\wvbj0rxz.1ql\Chrome\Default\Cookies
                                                Process:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:dropped
                                                Size (bytes):20480
                                                Entropy (8bit):0.7006690334145785
                                                Encrypted:false
                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.032444091192518
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:Zapytanie -20216470859302.exe
                                                File size:780288
                                                MD5:d78bcccfe9e8e96d75e488dab97ba56f
                                                SHA1:d4b2f340c8df782c4ebac3a3dabaab9db19aa28e
                                                SHA256:3832cbc966b60610c0452b4bfca9648126d7ab20fcd29a413a1b5f88abf7e685
                                                SHA512:cb1ef6c6357cb869343e607fb41a6a6584950fcec81063269a30a5edf3e5bdaddd016883437205db884881decccfe111db81b3eb6a204e56b127e59dcd541594
                                                SSDEEP:12288:WADfGTIgkG8bfvECBtVUXDU+I/o7TH1uWoOxEJDrDeKo:WUfG+G8b0CBk6GTVuLmF
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9o7`..............P......T........... ........@.. .......................@............@................................

                                                File Icon

                                                Icon Hash:e0dad4adc4d2d870

                                                Static PE Info

                                                General

                                                Entrypoint:0x4bb0b6
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x60376F39 [Thu Feb 25 09:34:49 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbb0640x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x51c8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xb90bc0xb9200False0.603581564399data7.04403156947IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xbc0000x51c80x5200False0.189500762195data4.2360167597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0xbc1000x4228dBase III DBT, version number 0, next free block index 40
                                                RT_GROUP_ICON0xc03380x14data
                                                RT_VERSION0xc035c0x340data
                                                RT_MANIFEST0xc06ac0xb15XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2014
                                                Assembly Version3.0.0.0
                                                InternalNameSurrogateKey.exe
                                                FileVersion3.0.0.0
                                                CompanyNameKTV
                                                LegalTrademarks
                                                Comments
                                                ProductNameKTVManagement
                                                ProductVersion3.0.0.0
                                                FileDescriptionKTVManagement
                                                OriginalFilenameSurrogateKey.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 25, 2021 12:45:30.911732912 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.039321899 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.039460897 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.078174114 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.205683947 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.205743074 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.205784082 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.205821037 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.205848932 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.205877066 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.205931902 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.206959009 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.206995010 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.207122087 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.239533901 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.367185116 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.415811062 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.460108995 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:31.592284918 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:31.634537935 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:35.924237967 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:36.029473066 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.051767111 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:36.051805019 CET4434976150.19.252.36192.168.2.4
                                                Feb 25, 2021 12:45:36.051860094 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:36.051899910 CET49761443192.168.2.450.19.252.36
                                                Feb 25, 2021 12:45:36.094329119 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.094657898 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.525538921 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.530191898 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.590604067 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.591625929 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.591926098 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.653891087 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.657457113 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.722440958 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.722495079 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.722518921 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.722831964 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.742218971 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.806237936 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.849023104 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.911973953 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.914171934 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:36.976262093 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:36.978008986 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.055196047 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.056329966 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.118963957 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.119790077 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.184329987 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.186240911 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.253479958 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.256767988 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.257244110 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.257515907 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.257700920 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:37.334980965 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.335048914 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.422660112 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:37.463129997 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.440493107 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.502240896 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.502288103 CET5874976346.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.502573013 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.503304005 CET49763587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.504842043 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.566869974 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.567148924 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.632824898 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.633137941 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.698971033 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.702189922 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.702475071 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.769692898 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.770703077 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.836992025 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.837049961 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.837079048 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.837338924 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.848507881 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.910203934 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.914159060 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:38.990571976 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:38.991606951 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.055336952 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.056561947 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.132123947 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.137243986 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.202454090 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.207067966 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.270765066 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.271512032 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.335524082 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.338957071 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.339220047 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.339451075 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.339683056 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.340048075 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.340250015 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.340445995 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.340626955 CET49765587192.168.2.446.16.61.250
                                                Feb 25, 2021 12:45:39.399631023 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.400060892 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.400376081 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.401137114 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:39.443653107 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:40.523966074 CET5874976546.16.61.250192.168.2.4
                                                Feb 25, 2021 12:45:40.573029995 CET49765587192.168.2.446.16.61.250

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 25, 2021 12:43:53.375576019 CET5912353192.168.2.48.8.8.8
                                                Feb 25, 2021 12:43:53.427099943 CET53591238.8.8.8192.168.2.4
                                                Feb 25, 2021 12:43:54.594901085 CET5453153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:43:54.646500111 CET53545318.8.8.8192.168.2.4
                                                Feb 25, 2021 12:43:58.645160913 CET4971453192.168.2.48.8.8.8
                                                Feb 25, 2021 12:43:58.695830107 CET53497148.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:02.122008085 CET5802853192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:02.170808077 CET53580288.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:03.323924065 CET5309753192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:03.381195068 CET53530978.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:04.302207947 CET4925753192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:04.351104021 CET53492578.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:06.038285971 CET6238953192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:06.090027094 CET53623898.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:07.000521898 CET4991053192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:07.052772045 CET53499108.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:07.950455904 CET5585453192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:08.002602100 CET53558548.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:08.905061007 CET6454953192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:08.953980923 CET53645498.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:09.861824036 CET6315353192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:09.915024042 CET53631538.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:12.387896061 CET5299153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:12.447180033 CET53529918.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:13.363146067 CET5370053192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:13.415047884 CET53537008.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:14.324582100 CET5172653192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:14.373701096 CET53517268.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:15.494338036 CET5679453192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:15.542990923 CET53567948.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:17.933177948 CET5653453192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:17.983107090 CET53565348.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:23.220330000 CET5662753192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:23.269114971 CET53566278.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:31.034847975 CET5662153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:31.083744049 CET53566218.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:32.009004116 CET6311653192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:32.060801029 CET53631168.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:33.079348087 CET6407853192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:33.128216028 CET53640788.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:36.036007881 CET6480153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:36.097470045 CET53648018.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:39.499418020 CET6172153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:39.746045113 CET53617218.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:40.264969110 CET5125553192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:40.336627007 CET53512558.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:40.943952084 CET6152253192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:41.003189087 CET53615228.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:41.017829895 CET5233753192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:41.075126886 CET53523378.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:41.448407888 CET5504653192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:41.506658077 CET53550468.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:41.976834059 CET4961253192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:42.062493086 CET53496128.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:42.605796099 CET4928553192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:42.665215015 CET53492858.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:43.264451027 CET5060153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:43.324649096 CET53506018.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:44.229727030 CET6087553192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:44.305597067 CET53608758.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:45.134283066 CET5644853192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:45.191432953 CET53564488.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:45.602361917 CET5917253192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:45.660171032 CET53591728.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:48.586281061 CET6242053192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:48.648164988 CET53624208.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:58.462357998 CET6057953192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:58.511461973 CET53605798.8.8.8192.168.2.4
                                                Feb 25, 2021 12:44:58.590760946 CET5018353192.168.2.48.8.8.8
                                                Feb 25, 2021 12:44:58.658257961 CET53501838.8.8.8192.168.2.4
                                                Feb 25, 2021 12:45:00.644224882 CET6153153192.168.2.48.8.8.8
                                                Feb 25, 2021 12:45:00.707403898 CET53615318.8.8.8192.168.2.4
                                                Feb 25, 2021 12:45:30.752023935 CET4922853192.168.2.48.8.8.8
                                                Feb 25, 2021 12:45:30.800823927 CET53492288.8.8.8192.168.2.4
                                                Feb 25, 2021 12:45:30.848331928 CET5979453192.168.2.48.8.8.8
                                                Feb 25, 2021 12:45:30.897142887 CET53597948.8.8.8192.168.2.4
                                                Feb 25, 2021 12:45:33.766820908 CET5591653192.168.2.48.8.8.8
                                                Feb 25, 2021 12:45:33.815617085 CET53559168.8.8.8192.168.2.4
                                                Feb 25, 2021 12:45:35.946440935 CET5275253192.168.2.48.8.8.8
                                                Feb 25, 2021 12:45:36.026029110 CET53527528.8.8.8192.168.2.4
                                                Feb 25, 2021 12:45:36.818815947 CET6054253192.168.2.48.8.8.8
                                                Feb 25, 2021 12:45:36.894098997 CET53605428.8.8.8192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Feb 25, 2021 12:45:30.752023935 CET192.168.2.48.8.8.80xa848Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.848331928 CET192.168.2.48.8.8.80xf2cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:35.946440935 CET192.168.2.48.8.8.80xadd3Standard query (0)smtp.fil-net.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.214.197A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.96.218A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.48.44A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.129.141A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.800823927 CET8.8.8.8192.168.2.40xa848No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.140.41A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.214.197A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.189.250A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.140.41A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.221.253.252A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:30.897142887 CET8.8.8.8192.168.2.40xf2cNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                Feb 25, 2021 12:45:36.026029110 CET8.8.8.8192.168.2.40xadd3No error (0)smtp.fil-net.com46.16.61.250A (IP address)IN (0x0001)

                                                HTTPS Packets

                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                Feb 25, 2021 12:45:31.206995010 CET50.19.252.36443192.168.2.449761CN=*.ipify.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2021 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004Sun Feb 20 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Feb 25, 2021 12:45:36.525538921 CET5874976346.16.61.250192.168.2.4220 vxsys-smtpclusterma-01.srv.cat ESMTP
                                                Feb 25, 2021 12:45:36.530191898 CET49763587192.168.2.446.16.61.250EHLO 114127
                                                Feb 25, 2021 12:45:36.591625929 CET5874976346.16.61.250192.168.2.4250-vxsys-smtpclusterma-01.srv.cat
                                                250-PIPELINING
                                                250-SIZE 47185920
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                Feb 25, 2021 12:45:36.591926098 CET49763587192.168.2.446.16.61.250STARTTLS
                                                Feb 25, 2021 12:45:36.653891087 CET5874976346.16.61.250192.168.2.4220 2.0.0 Ready to start TLS
                                                Feb 25, 2021 12:45:38.632824898 CET5874976546.16.61.250192.168.2.4220 vxsys-smtpclusterma-05.srv.cat ESMTP
                                                Feb 25, 2021 12:45:38.633137941 CET49765587192.168.2.446.16.61.250EHLO 114127
                                                Feb 25, 2021 12:45:38.702189922 CET5874976546.16.61.250192.168.2.4250-vxsys-smtpclusterma-05.srv.cat
                                                250-PIPELINING
                                                250-SIZE 47185920
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                Feb 25, 2021 12:45:38.702475071 CET49765587192.168.2.446.16.61.250STARTTLS
                                                Feb 25, 2021 12:45:38.769692898 CET5874976546.16.61.250192.168.2.4220 2.0.0 Ready to start TLS

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: Zapytanie -20216470859302.exe PID: 7112 Parent PID: 4804

                                                General

                                                Start time:12:43:59
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\Zapytanie -20216470859302.exe'
                                                Imagebase:0xce0000
                                                File size:780288 bytes
                                                MD5 hash:D78BCCCFE9E8E96D75E488DAB97BA56F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: Zapytanie -20216470859302.exe PID: 2440 Parent PID: 7112

                                                General

                                                Start time:12:44:01
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                Imagebase:0x210000
                                                File size:780288 bytes
                                                MD5 hash:D78BCCCFE9E8E96D75E488DAB97BA56F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: Zapytanie -20216470859302.exe PID: 6340 Parent PID: 7112

                                                General

                                                Start time:12:44:01
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\Zapytanie -20216470859302.exe
                                                Imagebase:0x710000
                                                File size:780288 bytes
                                                MD5 hash:D78BCCCFE9E8E96D75E488DAB97BA56F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.897336626.0000000002B96000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: Zapytanie -20216470859302.exe PID: 7112 Parent PID: 4804 Zapytanie -20216470859302.exeCOMMON

                                                  Executed Functions

                                                  Function 062E2CE8, Relevance: .4, Instructions: 357COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bda917c2a6bc2efd03a9eb211c3e34fd102ad4a500d3c88ba853c00b39cbf24c
                                                  • Instruction ID: 0a09b9570ba1c8cb26141110cb3b79461352855cae60c2d3dcff598be46ca9a2
                                                  • Opcode Fuzzy Hash: bda917c2a6bc2efd03a9eb211c3e34fd102ad4a500d3c88ba853c00b39cbf24c
                                                  • Instruction Fuzzy Hash: 4AD1CC30B11602CFDBA9DB76C450B6BB7FAAF88600F544479DA4ACB394DB74EA01CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E0040, Relevance: .4, Instructions: 353COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5afa9a582ee255efe822e836e0fe3061cb7fa9e5337879247bea193e2a9ec398
                                                  • Instruction ID: 16de7278eeb5926c9bd12d53a8dcce3170c34f554f5686b970d83e129314f1de
                                                  • Opcode Fuzzy Hash: 5afa9a582ee255efe822e836e0fe3061cb7fa9e5337879247bea193e2a9ec398
                                                  • Instruction Fuzzy Hash: D302C074D102298FDB64DF65C884BDDBBB2EB89304F5481EAD91DA7290DBB05AC5CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E10C0, Relevance: .3, Instructions: 278COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a34aee045265222b3dfbf5337c0a855063bfe7f1dc8e794330453a4f74d7baef
                                                  • Instruction ID: ba9c713bbe675fe8a4dcfdd06b18ae93576bac8648b5a0514dce62f6adca331e
                                                  • Opcode Fuzzy Hash: a34aee045265222b3dfbf5337c0a855063bfe7f1dc8e794330453a4f74d7baef
                                                  • Instruction Fuzzy Hash: 4EB18F35A102158FCB54CFA9C888AADB7F6FF55300F968079EC09AB661DB70EC51CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E24D8, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5d23dfd2488901ffe1f5a09eb256fa8692e671c38455ca6451682c3fad889fe
                                                  • Instruction ID: ba6a448c1c1606abeb60dfccf22f504b7504ec39d046225d652844b4e51198af
                                                  • Opcode Fuzzy Hash: b5d23dfd2488901ffe1f5a09eb256fa8692e671c38455ca6451682c3fad889fe
                                                  • Instruction Fuzzy Hash: DE116670D15229CFDB188FA4D518BEDBAF4AF0E301F14506AD816B7295C7788A88CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E24E8, Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c70f2258dab064e228c626af0ce4d5d2521877afeb779fbaa9413d7eb18cb651
                                                  • Instruction ID: 75ea6a5f317d2824559111480073a156fe74661ce2d0af1e9c7315fbf0d58423
                                                  • Opcode Fuzzy Hash: c70f2258dab064e228c626af0ce4d5d2521877afeb779fbaa9413d7eb18cb651
                                                  • Instruction Fuzzy Hash: 1E118B70D15219CFDB188FA5D528BFEBBF4AB0E301F54907AD816B3294C7748A48CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175BBC0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 3c9a93f14c76c3fc88369f5d13991ee06f1ca0f6fc9ace11e96eea766025e080
                                                  • Instruction ID: effc15956b088cc12af11ba77c65da1f6526c684bbe4e0c84ff90b3a44b001b2
                                                  • Opcode Fuzzy Hash: 3c9a93f14c76c3fc88369f5d13991ee06f1ca0f6fc9ace11e96eea766025e080
                                                  • Instruction Fuzzy Hash: 67712670A00B098FD764DF6AC44476ABBF2FF88214F00892ED95AD7A50DBB5E845CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175DBE0, Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0175DD8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 6e1dc23b60a76c84fc55dd7c44dce0698abfe6de53e87ea6e28229f21350d3ec
                                                  • Instruction ID: e1f0dea2f220786100bce48e04808d5e1cc094f80c233badd3cc0ce11880fb3a
                                                  • Opcode Fuzzy Hash: 6e1dc23b60a76c84fc55dd7c44dce0698abfe6de53e87ea6e28229f21350d3ec
                                                  • Instruction Fuzzy Hash: 986124B2C003499FDF12CFA9C984ADDBFB1BF49310F15816AE918AB261D3759985CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175AEB4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0175DD8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 0951838dc5409712345f0f2e4ece841d59ea1590b6baa0b99940f04a962c52c0
                                                  • Instruction ID: 98843af5278624d4da9dcc3d8bbd5a99937954b4df738e41e74f71f36095e842
                                                  • Opcode Fuzzy Hash: 0951838dc5409712345f0f2e4ece841d59ea1590b6baa0b99940f04a962c52c0
                                                  • Instruction Fuzzy Hash: C2519DB1D003099FDB15CF9AC884ADEFBB5BF48314F24812AE919AB210D7B59985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01756D61, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01756D9E,?,?,?,?,?), ref: 01756E5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 5ac511aaaf81bb3f1a4f1a2e0aa6153a76110a9e275ae53c3d2671a541f6167a
                                                  • Instruction ID: 02e229936a9319223496f8af0521bbdf932e5c07c431d0135de8fafce314f564
                                                  • Opcode Fuzzy Hash: 5ac511aaaf81bb3f1a4f1a2e0aa6153a76110a9e275ae53c3d2671a541f6167a
                                                  • Instruction Fuzzy Hash: 2D413876900248AFCB01DF99D884ADEBFF5FB48320F14801AFA14A7310D775A954DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01756804, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01756D9E,?,?,?,?,?), ref: 01756E5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 0729452791f3517ba445431be0fc6245eeac3ea48e9a147f50d9a3b8a8a427c4
                                                  • Instruction ID: 9218a9cd2c05cc9773627e0fec4ec0c8f182bd259f1a092578c2b2c41a74ccbd
                                                  • Opcode Fuzzy Hash: 0729452791f3517ba445431be0fc6245eeac3ea48e9a147f50d9a3b8a8a427c4
                                                  • Instruction Fuzzy Hash: 1621E4B5900248AFDB50CFA9D884AEEFBF4FB48320F14842AE914B3310D374A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01756DD0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01756D9E,?,?,?,?,?), ref: 01756E5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: dddbe1c9a60abe1e0ec68bc3f655a7b9a5b18cde97f22ff2b89628240702f313
                                                  • Instruction ID: 5f67f2eaab012aebe968707d5f70ffb6176b4002c7e9dbbac9d3670d41b95ef4
                                                  • Opcode Fuzzy Hash: dddbe1c9a60abe1e0ec68bc3f655a7b9a5b18cde97f22ff2b89628240702f313
                                                  • Instruction Fuzzy Hash: 7C21D2B5900248AFDB10CFAAD984ADEFBF4FB48324F14841AE914A3310D374A955CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175AD60, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175BE81,00000800,00000000,00000000), ref: 0175C092
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 333aace2dfc61f0ee9df6a741feb204f375947d676eaf650fefbf58de4c0cbe0
                                                  • Instruction ID: d50360437137e1cf9c3cdd64ac77275d72583d5d46c228bbc77aa3685ecc9a9e
                                                  • Opcode Fuzzy Hash: 333aace2dfc61f0ee9df6a741feb204f375947d676eaf650fefbf58de4c0cbe0
                                                  • Instruction Fuzzy Hash: 402159B68043088FCB11CFAAC848BDEFBF4EB59224F04856ED919A7600D3B59545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175AD78, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175BE81,00000800,00000000,00000000), ref: 0175C092
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: f12960d2d6367c73d80eab4218de1d86bc33a6420b4b474e7475b7cf27c352e2
                                                  • Instruction ID: aaa5f2bc03e0e6b59f520dbc966f39a90cad56d3f8a98b904e51661a3c2cfd43
                                                  • Opcode Fuzzy Hash: f12960d2d6367c73d80eab4218de1d86bc33a6420b4b474e7475b7cf27c352e2
                                                  • Instruction Fuzzy Hash: E41106B69003088FDB10CF9AC844B9EFBF8EB49314F04852AE919A7200C3B5A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175C020, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175BE81,00000800,00000000,00000000), ref: 0175C092
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 5d274da1a775d4c337cdfeb0c7c50f006c357ff65eeef70f8c66f3e83bd5d685
                                                  • Instruction ID: 5fbd21be2edc8bd83d5de5140f3fbb6b89b6f1526e8766aefc3c65c2eab0b20f
                                                  • Opcode Fuzzy Hash: 5d274da1a775d4c337cdfeb0c7c50f006c357ff65eeef70f8c66f3e83bd5d685
                                                  • Instruction Fuzzy Hash: ED1103B6D003098FDB10CF9AC948BDEFBF4AB48324F15852AD919A7600C3B5A549CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E2AC0, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,062E3191,?,?), ref: 062E3338
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: 0f5ef3f69bc8865e7aeff437d2b8680fb631a8a171ea5e9d9dd678df2a15730b
                                                  • Instruction ID: 5875e1aca184baa0493876a3b6442f38e7549d7eb0822d06e93926d115705204
                                                  • Opcode Fuzzy Hash: 0f5ef3f69bc8865e7aeff437d2b8680fb631a8a171ea5e9d9dd678df2a15730b
                                                  • Instruction Fuzzy Hash: 1E1158B18002098FCB10DF9AC448BEEBBF4EB48320F108429D964B7340D778A945CFE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175AD20, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0175BBD3), ref: 0175BE06
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 43751e6e95fc8cf1bd19ea26771a7b97c97f258ae099e1f1cfad2d87fdab08ca
                                                  • Instruction ID: f0e2e9c7440969dd1dfc58a7bf865f8f56e40234251d8e9acd37bba6afe3aa7a
                                                  • Opcode Fuzzy Hash: 43751e6e95fc8cf1bd19ea26771a7b97c97f258ae099e1f1cfad2d87fdab08ca
                                                  • Instruction Fuzzy Hash: AC11E2B28002098BDB10DF9AC444BAEFBF5AB89224F14846AD929B7600D3B5A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E3380, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,062E3191,?,?), ref: 062E3338
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: b625160166fc5baf927b9041582159a0a7c15e1c0bc8480ffc0693bbf99192dd
                                                  • Instruction ID: 902605ac172bc841ba08a2cc6f488ba232bcf2acad0a3acd2f59d6eed5a70ee1
                                                  • Opcode Fuzzy Hash: b625160166fc5baf927b9041582159a0a7c15e1c0bc8480ffc0693bbf99192dd
                                                  • Instruction Fuzzy Hash: 27012232844206CFC710CBA8C448BCEBBF0BF44335F65856AC465D7651CB7D8186CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E14B0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 062E1515
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: e804bcf98b5030da17a8fc414f4fd0dd65b8cb093209fd82254b8ba8df5b79a9
                                                  • Instruction ID: 75a801942ecfc3fb937f72346edda9684f0723892f28388bdc27e11944dca3f6
                                                  • Opcode Fuzzy Hash: e804bcf98b5030da17a8fc414f4fd0dd65b8cb093209fd82254b8ba8df5b79a9
                                                  • Instruction Fuzzy Hash: C71136B58003088FCB10CF99C888BDEBBF8FB48324F108529E825A7240C374A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175AEEC, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0175DEA8,?,?,?,?), ref: 0175DF1D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 1bf560cdb741df87e9d01643c571d32ac024413f7b8181a4fead06cbbb7ad06c
                                                  • Instruction ID: ff7324aa64442d68159dbfa550e3739a36824a375ed9408ebc6bb31a9ff3946b
                                                  • Opcode Fuzzy Hash: 1bf560cdb741df87e9d01643c571d32ac024413f7b8181a4fead06cbbb7ad06c
                                                  • Instruction Fuzzy Hash: F011F5B58042089FDB20DF99D488BDEFBF8EB48320F108419E955B7740C3B4A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E32D9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,062E3191,?,?), ref: 062E3338
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: a851ec64a781c6586fc59e3ed058cef3b8bca64cf736a1e3c418b1116a20844b
                                                  • Instruction ID: 611dd53e0b9e332ac79e6f0699aba05ce1cb5f23442ae96e32d89f0788091996
                                                  • Opcode Fuzzy Hash: a851ec64a781c6586fc59e3ed058cef3b8bca64cf736a1e3c418b1116a20844b
                                                  • Instruction Fuzzy Hash: 5611F2B68002098FCB10DF99C589BEEFBF4EF48324F14842AD969A7640D778A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0175DEA8,?,?,?,?), ref: 0175DF1D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 3c36812e5b2e74da43042acd02647fb06030e65e399038ffddf4907780319937
                                                  • Instruction ID: b0299c36b01607132c6c835752fc38f81ea7c5f569b697dcf07e14b90029f64a
                                                  • Opcode Fuzzy Hash: 3c36812e5b2e74da43042acd02647fb06030e65e399038ffddf4907780319937
                                                  • Instruction Fuzzy Hash: 061106B59002089FDB10CF99D488BDEFBF8EB48320F108419E915B7740D3B4A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E14B8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 062E1515
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: f375f3c3b6ceda1f71cfb70d2264ef9468dea19ed3fabf7d502978d7f3dfe4ab
                                                  • Instruction ID: 736fa56c36dacbffadc2ba46ab82c7d3221b25609715075ecf01d0266147786e
                                                  • Opcode Fuzzy Hash: f375f3c3b6ceda1f71cfb70d2264ef9468dea19ed3fabf7d502978d7f3dfe4ab
                                                  • Instruction Fuzzy Hash: EA11E5B58003499FDB10DF99C888BDEFBF8FB49324F108419E955A7600D375A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E14BA, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 062E1515
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: c84d6a7b9410ecbf0f4add6d4d164bff90969693f547f129e17b83f12ba98f8a
                                                  • Instruction ID: d316eb4468aeb2892fd0ec950d7653e289bccc1613d128541ca428cf853e9d0c
                                                  • Opcode Fuzzy Hash: c84d6a7b9410ecbf0f4add6d4d164bff90969693f547f129e17b83f12ba98f8a
                                                  • Instruction Fuzzy Hash: 2411E5B58002499FDB10CF99D488BDEBBF4FB58324F108419E955A7600C375A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 062E21D0, Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $%!l
                                                  • API String ID: 0-4161362926
                                                  • Opcode ID: ffbdfc777704be544d4492683d867617b364eab5a71167c7843c4a97e982e45e
                                                  • Instruction ID: 9819b77a134ba51b64ae254d4283d17aaa81d932382b7683fe2922fb8a347b25
                                                  • Opcode Fuzzy Hash: ffbdfc777704be544d4492683d867617b364eab5a71167c7843c4a97e982e45e
                                                  • Instruction Fuzzy Hash: C0B1AC30B12205CFDB58DF68D594BADB7FAAF89304F5440A9E906AB3A5CB70DE01CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175C2A8, Relevance: .5, Instructions: 520COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8ce0e4a08230403ea4e23c763f1ae057ea6e4964a18a339ba9e1f7048d87a19
                                                  • Instruction ID: 6527bf94b6726acbf585a98080c34e5616772e23b7a585d30b94dcdc27f080a5
                                                  • Opcode Fuzzy Hash: e8ce0e4a08230403ea4e23c763f1ae057ea6e4964a18a339ba9e1f7048d87a19
                                                  • Instruction Fuzzy Hash: 5D529DB0520706ABD310CF14E4CA6B97FF2FB40329F84524AE5627BA91EBB4544EDF44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00CE2050, Relevance: .5, Instructions: 459COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 81%
                                                  			E00CE2050() {
				intOrPtr* _t92;
				signed char _t93;
				signed char _t95;
				intOrPtr* _t97;
				signed char _t98;
				signed char _t99;
				signed char _t100;
				signed char _t101;
				signed char _t102;
				signed char _t103;
				signed char _t104;
				void* _t105;
				signed char _t107;
				signed char _t108;
				signed char _t109;
				signed char _t112;
				signed char _t113;
				intOrPtr* _t114;
				signed char _t115;
				signed char _t116;
				intOrPtr* _t117;
				intOrPtr* _t188;
				signed int* _t189;
				void* _t196;
				intOrPtr* _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t201;
				signed char _t202;
				intOrPtr* _t210;
				intOrPtr* _t212;
				signed int* _t214;
				signed int* _t215;
				signed int* _t216;
				signed int* _t217;
				signed int* _t218;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				signed int _t227;
				void* _t228;
				void* _t229;

				asm("sbb esi, [eax]");
				_t93 = _t92 +  *_t92;
				_pop(ds);
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t196;
				asm("sbb eax, 0x280a0000");
				 *_t93 =  *_t93 + _t93;
				asm("fiadd word [edx]");
				_t95 = _t189 + (_t93 |  *_t93);
				 *_t95 =  *_t95 + _t196;
				es = ds;
				 *_t95 =  *_t95 + _t95;
				_push(es);
				_t197 = _t196 +  *((intOrPtr*)(_t223 + 0x1f));
				 *_t95 =  *_t95 + _t95;
				_t97 = (_t95 |  *_t95) -  *(_t95 |  *_t95);
				 *_t97 =  *_t97 + _t210;
				 *_t97 =  *_t97 + _t97;
				_t98 = _t97 +  *_t97;
				 *_t98 =  *_t98 + _t98;
				_push(cs);
				asm("sldt word [edx]");
				 *_t98 =  *_t98 + _t98;
				 *_t98 =  *_t98 + _t98;
				asm("stosb");
				 *_t210 =  *_t210 + _t98;
				_push(ss);
				 *_t98 =  *_t98 - _t98;
				 *_t98 =  *_t98 + _t98;
				_t99 = _t98 |  *_t98;
				 *_t197 =  *_t197 - _t99;
				 *_t99 =  *_t99 + _t99;
				_t100 = _t99 |  *_t99;
				_t212 = _t210 +  *_t224 +  *_t223;
				 *_t212 =  *_t212 - _t100;
				 *_t100 =  *_t100 + _t100;
				_t101 = _t100 |  *_t100;
				 *_t189 =  *_t189 - _t101;
				 *_t101 =  *_t101 + _t101;
				_t102 = _t101 |  *_t101;
				_t214 = _t212 +  *_t223 +  *_t224;
				 *((intOrPtr*)(_t102 + _t102)) =  *((intOrPtr*)(_t102 + _t102)) - _t102;
				 *_t214 =  *_t214 + _t197;
				 *_t214 =  *_t214 + _t197;
				_t225 = _t224 - 1;
				 *_t214 =  *_t214 + _t102;
				 *_t197 =  *_t197 - _t197;
				 *_t102 =  *_t102 + _t102;
				asm("outsd");
				_t229 = _t228 - 1;
				es = es;
				 *_t225 =  *_t225 + _t102;
				 *0xa0000 =  *0xa0000 - _t102;
				_t103 = _t102 -  *_t225;
				 *_t214 =  *_t214 + _t103;
				 *_t225 =  *_t225 - _t103;
				 *_t103 =  *_t103 + _t103;
				_t104 = _t103 |  *_t103;
				_t198 = _t197 - _t214;
				if(_t198 >= 0) {
					L5:
					_t105 = _t104 -  *_t104;
				}
				 *_t104 =  *_t104 + _t104;
				_t107 = _t104 |  *(_t104 + 0x4000001);
				if(_t107 >= 0) {
					 *_t107 =  *_t107 + _t107;
					asm("adc esi, [eax]");
					 *_t107 =  *_t107 + _t107;
					asm("adc [eax], al");
					 *_t107 =  *_t107 + _t107;
					 *_t107 =  *_t107 + _t107;
					L8:
					 *_t107 =  *_t107 + _t107;
					asm("adc [eax], eax");
					if( *_t107 > 0) {
						 *_t107 =  *_t107 + _t107;
					}
					 *((intOrPtr*)(_t223 + _t227 * 2)) =  *((intOrPtr*)(_t223 + _t227 * 2)) + _t107;
					_t108 = _t107;
					L11:
					 *_t108 =  *_t108 + _t108;
					_t198 = _t198 |  *_t214;
					_t109 = _t108 -  *_t108;
					_push(es);
					_t214 = _t214 -  *_t189;
					 *_t198 =  *_t198 ^ _t109;
					 *_t109 =  *_t109 + _t214;
					 *_t109 =  *_t109 + _t109;
					 *_t214 =  *_t214 + _t109;
					 *_t109 =  *_t109 + _t109;
					asm("adc [eax], eax");
					if( *_t109 > 0) {
						 *_t109 =  *_t109 + _t109;
					}
					_t112 = _t109 + 0x6f - 0xa0a0000 -  *((intOrPtr*)(_t109 + 0x6f - 0xa0a0000));
					_push(es);
					_t215 = _t214 -  *_t189;
					 *_t198 =  *_t198 ^ _t112;
					 *_t112 =  *_t112 + _t215;
					 *_t112 =  *_t112 + _t112;
					 *_t189 =  *_t189 + _t112;
					 *_t112 =  *_t112 + _t112;
					asm("adc [eax], eax");
					if( *_t112 > 0) {
						 *_t112 =  *_t112 + _t112;
						_t112 = _t112 + 0x6f;
					}
					asm("outsd");
					 *[cs:eax] =  *[cs:eax] + _t112;
					_t199 = _t198 |  *_t215;
					_t113 = _t112 -  *_t112;
					_push(es);
					_t216 = _t215 -  *_t189;
					 *_t199 =  *_t199 ^ _t113;
					 *_t113 =  *_t113 + _t216;
					 *_t113 =  *_t113 + _t113;
					 *((intOrPtr*)(_t113 + _t113)) =  *((intOrPtr*)(_t113 + _t113)) + _t113;
					 *_t199 = _t216 +  *_t199;
					 *((intOrPtr*)(_t225 + 4)) =  *((intOrPtr*)(_t225 + 4)) + _t189;
					 *_t113 =  *_t113 + _t113;
					_t114 = _t113 + 0x6f;
					asm("das");
					 *_t114 =  *_t114 + _t114;
					_t200 = _t199 |  *_t216;
					_t115 = _t114 -  *_t114;
					_push(es);
					_t217 = _t216 -  *_t189;
					 *_t200 =  *_t200 ^ _t115;
					 *_t115 = _t217 +  *_t115;
					 *_t115 =  *_t115 + _t115;
					 *0x110000 =  *0x110000 + _t115;
					if ( *0x110000 <= 0) goto L19;
					goto L17;
					 *_t188 =  *_t188 + _t188;
					_t115 = _t188 + 0x6f;
					 *_t115 =  *_t115 ^ _t115;
					 *_t115 =  *_t115 + _t115;
					_t201 = _t200 |  *_t217;
					_t116 = _t115 -  *_t115;
					_push(es);
					_t218 = _t217 -  *_t189;
					 *_t218 =  *_t218 ^ _t116;
					 *((intOrPtr*)(_t116 + _t116)) =  *((intOrPtr*)(_t116 + _t116)) + _t189;
					 *_t116 =  *_t116 + _t116;
					_push(es);
					 *_t116 =  *_t116 + _t116;
					asm("adc [eax], eax");
					if( *_t116 > 0) {
						 *_t116 =  *_t116 + _t116;
						_t116 = _t116 + 0x14;
						 *_t201 =  *_t201 - _t218;
					}
					 *_t116 =  *_t116 + _t116;
					_t202 = _t201 |  *_t189;
					_pop(es);
					_t117 = _t116 - 0x21;
					if(_t117 >= 0) {
						 *_t117 =  *_t117 + _t117;
					}
					 *((intOrPtr*)(_t117 - 0x30)) =  *((intOrPtr*)(_t117 - 0x30)) + _t218;
				}
				 *_t107 =  *_t107 + _t107;
				_t107 = _t107 |  *(_t107 + 0x4000002);
				if(_t107 >= 0) {
					goto L8;
				}
				 *_t107 =  *_t107 + _t107;
				_t108 = _t107 |  *(_t107 + 0x4000003);
				if(_t108 >= 0) {
					goto L11;
				}
				 *_t108 =  *_t108 + _t108;
				_t109 = _t108 |  *(_t108 + 0x4000004);
				if (_t109 >= 0) goto L12;
				goto L5;
			}














































                                                  0x00ce2050
                                                  0x00ce2052
                                                  0x00ce2054
                                                  0x00ce2055
                                                  0x00ce2057
                                                  0x00ce2059
                                                  0x00ce205b
                                                  0x00ce205d
                                                  0x00ce205f
                                                  0x00ce2065
                                                  0x00ce2069
                                                  0x00ce206b
                                                  0x00ce206d
                                                  0x00ce206f
                                                  0x00ce2070
                                                  0x00ce2072
                                                  0x00ce2073
                                                  0x00ce2076
                                                  0x00ce207a
                                                  0x00ce207c
                                                  0x00ce207e
                                                  0x00ce2080
                                                  0x00ce2082
                                                  0x00ce2084
                                                  0x00ce2085
                                                  0x00ce2088
                                                  0x00ce208a
                                                  0x00ce208c
                                                  0x00ce208d
                                                  0x00ce208f
                                                  0x00ce2090
                                                  0x00ce2092
                                                  0x00ce2094
                                                  0x00ce2098
                                                  0x00ce209a
                                                  0x00ce209c
                                                  0x00ce209e
                                                  0x00ce20a0
                                                  0x00ce20a2
                                                  0x00ce20a4
                                                  0x00ce20a8
                                                  0x00ce20aa
                                                  0x00ce20ac
                                                  0x00ce20ae
                                                  0x00ce20b0
                                                  0x00ce20b3
                                                  0x00ce20b5
                                                  0x00ce20b7
                                                  0x00ce20b8
                                                  0x00ce20ba
                                                  0x00ce20bc
                                                  0x00ce20bf
                                                  0x00ce20c0
                                                  0x00ce20c1
                                                  0x00ce20c2
                                                  0x00ce20c4
                                                  0x00ce20ca
                                                  0x00ce20cc
                                                  0x00ce20ce
                                                  0x00ce20d0
                                                  0x00ce20d2
                                                  0x00ce20d4
                                                  0x00ce20d6
                                                  0x00ce20ff
                                                  0x00ce20ff
                                                  0x00ce20ff
                                                  0x00ce20d8
                                                  0x00ce20da
                                                  0x00ce20e0
                                                  0x00ce210a
                                                  0x00ce210c
                                                  0x00ce210e
                                                  0x00ce2110
                                                  0x00ce2112
                                                  0x00ce2114
                                                  0x00ce2115
                                                  0x00ce2115
                                                  0x00ce2117
                                                  0x00ce2119
                                                  0x00ce211b
                                                  0x00ce211b
                                                  0x00ce211c
                                                  0x00ce211f
                                                  0x00ce2120
                                                  0x00ce2120
                                                  0x00ce2122
                                                  0x00ce2124
                                                  0x00ce2126
                                                  0x00ce2127
                                                  0x00ce2129
                                                  0x00ce212b
                                                  0x00ce212d
                                                  0x00ce212f
                                                  0x00ce2131
                                                  0x00ce2133
                                                  0x00ce2135
                                                  0x00ce2137
                                                  0x00ce2137
                                                  0x00ce2140
                                                  0x00ce2142
                                                  0x00ce2143
                                                  0x00ce2145
                                                  0x00ce2147
                                                  0x00ce2149
                                                  0x00ce214b
                                                  0x00ce214d
                                                  0x00ce214f
                                                  0x00ce2151
                                                  0x00ce2153
                                                  0x00ce2155
                                                  0x00ce2155
                                                  0x00ce2156
                                                  0x00ce2157
                                                  0x00ce215a
                                                  0x00ce215c
                                                  0x00ce215e
                                                  0x00ce215f
                                                  0x00ce2161
                                                  0x00ce2163
                                                  0x00ce2165
                                                  0x00ce2167
                                                  0x00ce216a
                                                  0x00ce216c
                                                  0x00ce216f
                                                  0x00ce2171
                                                  0x00ce2173
                                                  0x00ce2174
                                                  0x00ce2176
                                                  0x00ce2178
                                                  0x00ce217a
                                                  0x00ce217b
                                                  0x00ce217d
                                                  0x00ce217f
                                                  0x00ce2181
                                                  0x00ce2183
                                                  0x00ce2189
                                                  0x00ce2189
                                                  0x00ce218b
                                                  0x00ce218d
                                                  0x00ce218f
                                                  0x00ce2190
                                                  0x00ce2192
                                                  0x00ce2194
                                                  0x00ce2196
                                                  0x00ce2197
                                                  0x00ce2199
                                                  0x00ce219b
                                                  0x00ce219e
                                                  0x00ce21a0
                                                  0x00ce21a1
                                                  0x00ce21a3
                                                  0x00ce21a5
                                                  0x00ce21a7
                                                  0x00ce21a9
                                                  0x00ce21ab
                                                  0x00ce21ab
                                                  0x00ce21ad
                                                  0x00ce21af
                                                  0x00ce21b1
                                                  0x00ce21b2
                                                  0x00ce21b4
                                                  0x00ce21b6
                                                  0x00ce21b6
                                                  0x00ce21b7
                                                  0x00ce21b7
                                                  0x00ce20e2
                                                  0x00ce20e4
                                                  0x00ce20ea
                                                  0x00000000
                                                  0x00000000
                                                  0x00ce20ec
                                                  0x00ce20ee
                                                  0x00ce20f4
                                                  0x00000000
                                                  0x00000000
                                                  0x00ce20f6
                                                  0x00ce20f8
                                                  0x00ce20fe
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638239269.0000000000CE2000.00000002.00020000.sdmp, Offset: 00CE0000, based on PE: true
                                                  • Associated: 00000000.00000002.638231439.0000000000CE0000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 131d1f87ea0989a75344c21ca3ee7129185d535f087075c722bad73063a8a732
                                                  • Instruction ID: a09ac7b340e41d119fd349844df805f33807fabf5065268a721b0cfbeac66e85
                                                  • Opcode Fuzzy Hash: 131d1f87ea0989a75344c21ca3ee7129185d535f087075c722bad73063a8a732
                                                  • Instruction Fuzzy Hash: 9102AC6240F7C28FCB138B799DB46917FB59E17214B1E49CBC4C1CF0A3E1286A5AD722
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0175AB34, Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.638888493.0000000001750000.00000040.00000001.sdmp, Offset: 01750000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8b540977e86c6754c5ad23ebca76d64e233711a024931b294e6b3400d7ca691b
                                                  • Instruction ID: 70668220445666c153003de06a708b579f7a192a869e6122ddfb7b400d418002
                                                  • Opcode Fuzzy Hash: 8b540977e86c6754c5ad23ebca76d64e233711a024931b294e6b3400d7ca691b
                                                  • Instruction Fuzzy Hash: 54A16032E1021A8FCF15DFA5C8445AEFBB3FF85300B15856AE905BB225EB75A945CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 062E0006, Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.642695471.00000000062E0000.00000040.00000001.sdmp, Offset: 062E0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eb69e2cefd0c638b10801e55b00993276f8fd567ee61b184837194c11bcc6627
                                                  • Instruction ID: 645bbe506df3613fb0dcb56b1d7f796496f65d48187a40cd0d7c74bb877983c3
                                                  • Opcode Fuzzy Hash: eb69e2cefd0c638b10801e55b00993276f8fd567ee61b184837194c11bcc6627
                                                  • Instruction Fuzzy Hash: 05413D70D5526A8FDB65CF6ACC047D9BBB6AF89300F44C0F6C848AB251E7B40A96CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: Zapytanie -20216470859302.exe PID: 6340 Parent PID: 7112 Zapytanie -20216470859302.exeCOMMON

                                                  Executed Functions

                                                  Function 01106B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 01106BB0
                                                  • GetCurrentThread.KERNEL32 ref: 01106BED
                                                  • GetCurrentProcess.KERNEL32 ref: 01106C2A
                                                  • GetCurrentThreadId.KERNEL32 ref: 01106C83
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 84bed65b69eabc81c7ab7b63fcb749b2693e0c951091a78a599dde58cf3ae2b4
                                                  • Instruction ID: 93b68569da4971d8d64adc8ca33fd0a8f7da40c28bd6e43a84f13de339bd401c
                                                  • Opcode Fuzzy Hash: 84bed65b69eabc81c7ab7b63fcb749b2693e0c951091a78a599dde58cf3ae2b4
                                                  • Instruction Fuzzy Hash: 195124B0E006488FDB54CFA9C64879EBBF0FF49314F208459E519A7350DB749944CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01105190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011052A2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: d7658b1aab9e2283f5e81cf8a294000dc664a42b144794e541994122d85a6da2
                                                  • Instruction ID: b5bedfad9868872c947bbec335200a894466457339da915155f58646860f0898
                                                  • Opcode Fuzzy Hash: d7658b1aab9e2283f5e81cf8a294000dc664a42b144794e541994122d85a6da2
                                                  • Instruction Fuzzy Hash: 1E41CEB1D00309DFDF15CF99C984ADEBBB6BF48314F24812AE819AB250D7B5A845CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01106964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 01107CF9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: b07effa7fb1a16a412c3dfe9a89bfa3ff2ef7a17e7725f0a25535ff9676fd80a
                                                  • Instruction ID: 30f059a8053952ebfb8b32319e57d6640f18eb7976b0077c9a58b3bc28a32570
                                                  • Opcode Fuzzy Hash: b07effa7fb1a16a412c3dfe9a89bfa3ff2ef7a17e7725f0a25535ff9676fd80a
                                                  • Instruction Fuzzy Hash: DC415BB59003498FCB19CF99C588BAABBF5FF88314F14C459E559AB361C774A841CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0110C329, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0110C3B2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: e9b82091388a3b73cd79d749aab12fb0ec1f53a799a0e2b3ca995c8ac5694081
                                                  • Instruction ID: 8bd6f379e46a7aabb45aac1bce9b6da92c177d463bbd6ec2dbc725f81b9ce69f
                                                  • Opcode Fuzzy Hash: e9b82091388a3b73cd79d749aab12fb0ec1f53a799a0e2b3ca995c8ac5694081
                                                  • Instruction Fuzzy Hash: 1F314770C083898FDB51CFA9D4483EEBFF0EB06318F14849AD584A7682C7B9541ACFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01106D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01106DFF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: d67293e2efe1606672901a9970ac2a7b41de540967ca533724876cef879e9cb6
                                                  • Instruction ID: a97b4f6978352513385d02f5a7ceb9a31546d08728386954df7fa4848831dde7
                                                  • Opcode Fuzzy Hash: d67293e2efe1606672901a9970ac2a7b41de540967ca533724876cef879e9cb6
                                                  • Instruction Fuzzy Hash: 2821C2B5D002589FDB10CFA9D984ADEBBF8FB48324F14841AE914A7350D375A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0110C338, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0110C3B2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: 2cd687e3c69a8e0751873a4d1092d8fb3f812f05519b43dcdc6cbf540b06016a
                                                  • Instruction ID: 046575c2ce66a6030644a5e7ebca9aef4a27acc99c575c5eada9b31bb730655d
                                                  • Opcode Fuzzy Hash: 2cd687e3c69a8e0751873a4d1092d8fb3f812f05519b43dcdc6cbf540b06016a
                                                  • Instruction Fuzzy Hash: 6C119AB0D043098FDF50DFAAC50839EBBF4FB05328F10886AD504A7681CB79A605CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011041AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 01104216
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: deebe6add2a5a60114fece7d285a2c636caa3960ce4343e7ac770bca89e97d39
                                                  • Instruction ID: 89ccbb43fa3a2c1be22a54d300974b2257be7b00bdad5159b14dd2b6e82926c2
                                                  • Opcode Fuzzy Hash: deebe6add2a5a60114fece7d285a2c636caa3960ce4343e7ac770bca89e97d39
                                                  • Instruction Fuzzy Hash: B611F3B5D006498FDB14CF9AD588BDEFBF4EB89224F10841AD519B7640C3B4A546CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01102F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 01104216
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896993369.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 5f365a684a74474966429d3b7e820ce16644bf39748648b3ca5344899e12e7d1
                                                  • Instruction ID: 861ff6ce45fafdf8e84d47aef31e39d18c222b80724a2760ab6290b18a2b7e2e
                                                  • Opcode Fuzzy Hash: 5f365a684a74474966429d3b7e820ce16644bf39748648b3ca5344899e12e7d1
                                                  • Instruction Fuzzy Hash: AB1132B1D006498FCB14CF9AD488BDEFBF4EB88320F00842AD929B7600C3B4A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0109D53C, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896860408.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da3be503c191ff6e6658eb67768720bce2566a9ed882ebed941da6e4a3fc24eb
                                                  • Instruction ID: d5f73a3fcddc4eaaca27096bf06b288302cabad27adf76e757d7d321ed5874dd
                                                  • Opcode Fuzzy Hash: da3be503c191ff6e6658eb67768720bce2566a9ed882ebed941da6e4a3fc24eb
                                                  • Instruction Fuzzy Hash: C02167B1544200EFCF01DF54D8D0F2ABFA1FB88328F24C5A9E9894B206C336D846DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 010AD01C, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896876653.00000000010AD000.00000040.00000001.sdmp, Offset: 010AD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9175c5606acf5ae100fa9e8a2b9a22c72e743b20e6ba055a8bd938bd1852f22
                                                  • Instruction ID: 1b4769d21ed5b31bf206133bab79bf8e9e90771ae7c85369293d597b0931a21a
                                                  • Opcode Fuzzy Hash: c9175c5606acf5ae100fa9e8a2b9a22c72e743b20e6ba055a8bd938bd1852f22
                                                  • Instruction Fuzzy Hash: 1C2122B1644200DFCB15CFA4D8C4F26BBA1FB88354F64C9ADE9894B646C376D847CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 010AD006, Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896876653.00000000010AD000.00000040.00000001.sdmp, Offset: 010AD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f0007b5ead5d171023ab7e9c6707e4e302e92e733522b4a7930c67705b311a3b
                                                  • Instruction ID: 0052ebaa4e38ec302a1ac9192fbcd1be93cef78d89c8f0e09f8f3d4f0a34db68
                                                  • Opcode Fuzzy Hash: f0007b5ead5d171023ab7e9c6707e4e302e92e733522b4a7930c67705b311a3b
                                                  • Instruction Fuzzy Hash: 3021B0714483809FCB02CF64D994B11BFB1EB4A314F28C5DAD8858F667C33A9806CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0109D537, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.896860408.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                  • Instruction ID: 8ce7e3ece94a87122dcfddde2fb1084d89620002f153118481cdf11176ea2614
                                                  • Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                                  • Instruction Fuzzy Hash: 8711E172444280DFCF02CF04D5D4B16BFB2FB88324F28C6A9D8484B616C336D456DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions