Loading ...

Play interactive tourEdit tour

Analysis Report medline PO No. 9100002286.exe

Overview

General Information

Sample Name:medline PO No. 9100002286.exe
Analysis ID:399505
MD5:3b4740623c70111cf16cd73e2ce7e1e5
SHA1:caddff5529c85f69a942a7436edecd6122a16ac1
SHA256:b20b1c9c785100e0e18623c7f34843a82e066f0f91af93410654733c9e7e4513
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • medline PO No. 9100002286.exe (PID: 5748 cmdline: 'C:\Users\user\Desktop\medline PO No. 9100002286.exe' MD5: 3B4740623C70111CF16CD73E2CE7E1E5)
    • schtasks.exe (PID: 4828 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "99chimps@vivaldi.netgoodgood12345smtp.vivaldi.net"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000006.00000002.506385916.0000000002E3F000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\medline PO No. 9100002286.exe' , ParentImage: C:\Users\user\Desktop\medline PO No. 9100002286.exe, ParentProcessId: 5748, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp', ProcessId: 4828

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "99chimps@vivaldi.netgoodgood12345smtp.vivaldi.net"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: medline PO No. 9100002286.exeVirustotal: Detection: 28%Perma Link
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\RDdkJkTI.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: medline PO No. 9100002286.exeJoe Sandbox ML: detected
                      Source: 6.2.medline PO No. 9100002286.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: medline PO No. 9100002286.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49715 version: TLS 1.0
                      Source: medline PO No. 9100002286.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_052ADFD0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_052ADCB8

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 104.21.19.200 104.21.19.200
                      Source: Joe Sandbox ViewIP Address: 216.146.43.71 216.146.43.71
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49715 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: medline PO No. 9100002286.exeString found in binary or memory: http://web.archive.org/web/20150218144800/http://faculty.darden.virginia.edu/conroyb/derivatives/Bin
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236294998.00000000057C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235637027.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_0
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh-s$&
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.235736430.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.257777024.00000000057D1000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239101206.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com#n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFbnr
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239062434.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/_
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239996572.00000000057CC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8-
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240812351.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239318313.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC-#
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240937573.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239563634.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240192056.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx.
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comUn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240577500.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaUn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.241155999.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240741774.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd1n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdbnr
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdpn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgretaUn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239591593.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.245263003.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240229530.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitua
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239339502.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldm
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.245263003.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm1n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239101206.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239339502.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240066120.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comonyF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.compn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239224383.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv/ynK
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.242259486.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.243059122.00000000057C8000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000000.00000003.236303084.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:n
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.237122449.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/FF
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.237122449.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bnr
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236866633.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236645715.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/kny
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liqu
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236866633.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pn
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236454321.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ynK
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.237022000.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com4:
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comL?~
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic_
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.236003203.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como?
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dea?
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.239026468.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.240973589.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dez?h
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.269280942.00000000058B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.3
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.505992818.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: medline PO No. 9100002286.exeString found in binary or memory: https://github.com/gh28942
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506348010.0000000002E3B000.00000004.00000001.sdmp, medline PO No. 9100002286.exe, 00000006.00000002.506385916.0000000002E3F000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.506242450.0000000002E1F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_0260C2B00_2_0260C2B0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_026099980_2_02609998
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A15380_2_052A1538
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5D600_2_052A5D60
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5D700_2_052A5D70
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A55C80_2_052A55C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A45C10_2_052A45C1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A15D80_2_052A15D8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A55D80_2_052A55D8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AB4A00_2_052AB4A0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A9CC80_2_052A9CC8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AE7D00_2_052AE7D0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A06200_2_052A0620
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A46180_2_052A4618
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A06130_2_052A0613
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052ACEB80_2_052ACEB8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AA9B80_2_052AA9B8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A00330_2_052A0033
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A00400_2_052A0040
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052AB8580_2_052AB858
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A08880_2_052A0888
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A08980_2_052A0898
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A637F0_2_052A637F
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A63A80_2_052A63A8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A03E80_2_052A03E8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A03DB0_2_052A03DB
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A0AA80_2_052A0AA8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5AA00_2_052A5AA0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A0A980_2_052A0A98
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A5A900_2_052A5A90
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D4B2B06_2_02D4B2B0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D483006_2_02D48300
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D406586_2_02D40658
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D47B986_2_02D47B98
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D4F9F06_2_02D4F9F0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D446306_2_02D44630
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D416286_2_02D41628
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D40B706_2_02D40B70
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D459E06_2_02D459E0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_02D4F9E16_2_02D4F9E1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064847406_2_06484740
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064827F06_2_064827F0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064800406_2_06480040
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06482FD86_2_06482FD8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064808286_2_06480828
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064837C06_2_064837C0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064817F86_2_064817F8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064810106_2_06481010
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06483F586_2_06483F58
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06481FE06_2_06481FE0
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064827716_2_06482771
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_0648472F6_2_0648472F
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064807C86_2_064807C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064800066_2_06480006
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06482F786_2_06482F78
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06480FB16_2_06480FB1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064837606_2_06483760
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064817996_2_06481799
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06481F816_2_06481F81
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06483FA86_2_06483FA8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064927346_2_06492734
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064999B86_2_064999B8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_06490F486_2_06490F48
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_064937606_2_06493760
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259369361.000000000286D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUPJ4C205.exe4 vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.270826412.0000000006EF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000003.252107178.0000000007422000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyFlagsAttribute.exeJ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.273934116.000000000D300000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.274159227.000000000D400000.00000002.00000001.sdmpBinary or memory string: originalfilename vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.274159227.000000000D400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.271582690.0000000007390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000000.256897765.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyFlagsAttribute.exeJ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.502857347.0000000000E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.501946177.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUPJ4C205.exe4 vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exe, 00000006.00000002.502608095.0000000000BC6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exeBinary or memory string: OriginalFilenameAssemblyFlagsAttribute.exeJ vs medline PO No. 9100002286.exe
                      Source: medline PO No. 9100002286.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: medline PO No. 9100002286.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: RDdkJkTI.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@3/3
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile created: C:\Users\user\AppData\Roaming\RDdkJkTI.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7588.tmpJump to behavior
                      Source: medline PO No. 9100002286.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: medline PO No. 9100002286.exe, 00000000.00000002.259281520.0000000002821000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: medline PO No. 9100002286.exeVirustotal: Detection: 28%
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile read: C:\Users\user\Desktop\medline PO No. 9100002286.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe 'C:\Users\user\Desktop\medline PO No. 9100002286.exe'
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe C:\Users\user\Desktop\medline PO No. 9100002286.exe
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Users\user\Desktop\medline PO No. 9100002286.exe C:\Users\user\Desktop\medline PO No. 9100002286.exeJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: medline PO No. 9100002286.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: medline PO No. 9100002286.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000006.00000002.501104830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.259808275.0000000003829000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5452, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: medline PO No. 9100002286.exe PID: 5748, type: MEMORY
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3aa8bd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.medline PO No. 9100002286.exe.3a3a1b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.medline PO No. 9100002286.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_004052AF push es; iretd 0_2_004052C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_0040527F push es; iretd 0_2_004052C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_0040B93F push edi; ret 0_2_0040B940
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 0_2_052A4001 push ebp; ret 0_2_052A4002
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_009B527F push es; iretd 6_2_009B52C8
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_009BB93F push edi; ret 6_2_009BB940
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeCode function: 6_2_009B52AF push es; iretd 6_2_009B52C8
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.81158493919
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.81158493919
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeFile created: C:\Users\user\AppData\Roaming\RDdkJkTI.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RDdkJkTI' /XML 'C:\Users\user\AppData\Local\Temp\tmp7588.tmp'
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\medline PO No. 9100002286.exeProcess information set: NOOPENFILEERRORBOX