Analysis Report pd9EeXdsQtNb3dQ.exe

Overview

General Information

Sample Name:	pd9EeXdsQtNb3dQ.exe
Analysis ID:	404170
MD5:	3dad3d4918e28ded77c3e2e93a42665f
SHA1:	8b16dba4992b75a303f63a09d8a41ac99f28ce5c
SHA256:	1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office5@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Multi AV Scanner detection for submitted file

Source: pd9EeXdsQtNb3dQ.exe	Virustotal: Detection: 14%			Perma Link
Source: pd9EeXdsQtNb3dQ.exe	ReversingLabs: Detection: 51%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_059ED9A0

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587

Source: unknown

DNS traffic detected: queries for: mail.iykmoreentrprise.org

Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: http://DXvqav.com
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://iykmoreentrprise.org
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://mail.iykmoreentrprise.org
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pd9EeXdsQtNb3dQ.exe	String found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd
Source: pd9EeXdsQtNb3dQ.exe	String found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588834930.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://NtZtA8FE2WmoFQd.com
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533F968	0_2_0533F968
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533E048	0_2_0533E048
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533EA68	0_2_0533EA68
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533E520	0_2_0533E520
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05338DC0	0_2_05338DC0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533CC40	0_2_0533CC40
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533D7E0	0_2_0533D7E0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053329B0	0_2_053329B0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053329A0	0_2_053329A0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053331F8	0_2_053331F8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E21C8	0_2_059E21C8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E2D68	0_2_059E2D68
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059EE3D8	0_2_059EE3D8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E21BA	0_2_059E21BA
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E69F5	0_2_059E69F5
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E0908	0_2_059E0908
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E0906	0_2_059E0906
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1D38	0_2_059E1D38
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1D28	0_2_059E1D28
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E2CB9	0_2_059E2CB9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7808	0_2_059E7808
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E63CD	0_2_059E63CD
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E77F9	0_2_059E77F9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E93F0	0_2_059E93F0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7310	0_2_059E7310
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1B30	0_2_059E1B30
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7320	0_2_059E7320
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1B20	0_2_059E1B20
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7AE8	0_2_059E7AE8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0135B998	3_2_0135B998
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0135972D	3_2_0135972D
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01355700	3_2_01355700
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01356960	3_2_01356960
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C2020	3_2_013C2020
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CAB70	3_2_013CAB70
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C2F6D	3_2_013C2F6D
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C2618	3_2_013C2618
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CB668	3_2_013CB668
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CF117	3_2_013CF117
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CDBF8	3_2_013CDBF8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01418388	3_2_01418388
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01413A78	3_2_01413A78
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01416288	3_2_01416288
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01419460	3_2_01419460
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141E650	3_2_0141E650
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141613A	3_2_0141613A
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141E260	3_2_0141E260
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01415620	3_2_01415620

PE file contains strange resources

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000000.317330341.0000000000568000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000002.00000002.327814127.0000000000568000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328988968.0000000000CC8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.584799956.0000000001420000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585395067.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.583993167.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe

Uses 32bit PE files

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/1

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pd9EeXdsQtNb3dQ.exe.log

Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [creditors] SET [OrderID] = @OrderID, [SupplierID] = @SupplierID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([OrderID] = @Original_OrderID) AND ([SupplierID] = @Original_SupplierID) AND ([EmployeeID] = @Original_EmployeeID) AND ([AmountDue] = @Original_AmountDue) AND ([CompletePayments] = @Original_CompletePayments));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [ExpenseType] SET [TypeName] = @TypeName, [Description] = @Description, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([TypeName] = @Original_TypeName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus); SELECT GroupID
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText); SELECT menuID, menuName, menuText FROM tblMenu
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [products] ([ProductCode], [ProductName], [CategoryID], [UnitPrice], [UnitsInStock], [ReorderLevel], [Discontinued], [Description], [LocationID], [Discount], [WHUnitPrice], [AvgCost]) VALUES (@ProductCode, @ProductName, @CategoryID, @UnitPrice, @UnitsInStock, @ReorderLevel, @Discontinued, @Description, @LocationID, @Discount, @WHUnitPrice, @AvgCost);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [ExpiryDates] SET [ProductID] = @ProductID, [Quantity] = @Quantity, [ExpiryDate] = @ExpiryDate, [OrderDetailsID] = @OrderDetailsID WHERE (([ExpiryDateID] = @Original_ExpiryDateID) AND ([ProductID] = @Original_ProductID) AND ([Quantity] = @Original_Quantity) AND ([ExpiryDate] = @Original_ExpiryDate) AND ([OrderDetailsID] = @Original_OrderDetailsID));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID); SELEC
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [sales] ([CustomerID], [EmployeeID], [SalesDate], [SalesTime], [PaymentType], [TotalAmount], [PriceOffset], [SaleType]) VALUES (@CustomerID, @EmployeeID, @SalesDate, @SalesTime, @PaymentType, @TotalAmount, @PriceOffset, @SaleType);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[Employees] ([LastName], [FirstName], [Sex], [JobID], [BirthDate], [HireDate], [Address], [PhoneNo], [Country], [EmailAddress], [Picture]) VALUES (@LastName, @FirstName, @Sex, @JobID, @BirthDate, @HireDate, @Address, @PhoneNo, @Country, @EmailAddress, @Picture);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [usergroups] SET [GroupName] = @GroupName, [Description] = @Description, [GroupMenus] = @GroupMenus WHERE (([GroupID] = @Original_GroupID) AND ([GroupName] = @Original_GroupName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [products] SET [ProductCode] = @ProductCode, [ProductName] = @ProductName, [CategoryID] = @CategoryID, [UnitPrice] = @UnitPrice, [UnitsInStock] = @UnitsInStock, [ReorderLevel] = @ReorderLevel, [Discontinued] = @Discontinued, [Description] = @Description, [LocationID] = @LocationID, [Discount] = @Discount, [WHUnitPrice] = @WHUnitPrice, [AvgCost] = @AvgCost WHERE (([ProductID] = @Original_ProductID) AND ((@IsNull_ProductCode = 1 AND [ProductCode] IS NULL) OR ([ProductCode] = @Original_ProductCode)) AND ([ProductName] = @Original_ProductName) AND ([CategoryID] = @Original_CategoryID) AND ([UnitPrice] = @Original_UnitPrice) AND ([UnitsInStock] = @Original_UnitsInStock) AND ((@IsNull_ReorderLevel = 1 AND [ReorderLevel] IS NULL) OR ([ReorderLevel] = @Original_ReorderLevel)) AND ((@IsNull_Discontinued = 1 AND [Discontinued] IS NULL) OR ([Discontinued] = @Original_Discontinued)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_LocationID = 1 AND [LocationID] IS NULL) OR ([LocationID] = @Original_LocationID)) AND ([Discount] = @Original_Discount) AND ((@IsNull_WHUnitPrice = 1 AND [WHUnitPrice] IS NULL) OR ([WHUnitPrice] = @Original_WHUnitPrice)) AND ((@IsNull_AvgCost = 1 AND [AvgCost] IS NULL) OR ([AvgCost] = @Original_AvgCost)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[orderdetails] SET [OrderID] = @OrderID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount, [ExpiryDate] = @ExpiryDate WHERE (([OrderID] = @Original_OrderID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ([Discount] = @Original_Discount) AND ((@IsNull_ExpiryDate = 1 AND [ExpiryDate] IS NULL) OR ([ExpiryDate] = @Original_ExpiryDate)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[categories] SET [CateryName] = @CateryName, [Description] = @Description, [Picture] = @Picture WHERE (([CategoryID] = @Original_CategoryID) AND ((@IsNull_CateryName = 1 AND [CateryName] IS NULL) OR ([CateryName] = @Original_CateryName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[customers] ([CompanyName], [ContactName], [ContactTitle], [Address], [Country], [PhoneNo], [EmailAddress]) VALUES (@CompanyName, @ContactName, @ContactTitle, @Address, @Country, @PhoneNo, @EmailAddress);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [Debtors] SET [SalesID] = @SalesID, [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ((@IsNull_AmountDue = 1 AND [AmountDue] IS NULL) OR ([AmountDue] = @Original_AmountDue)) AND ((@IsNull_CompletePayments = 1 AND [CompletePayments] IS NULL) OR ([CompletePayments] = @Original_CompletePayments)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[Jobs] ([JobName], [Description]) VALUES (@JobName, @Description); SELECT JobID, JobName, Description FROM Jobs
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[Employees] SET [LastName] = @LastName, [FirstName] = @FirstName, [Sex] = @Sex, [JobID] = @JobID, [BirthDate] = @BirthDate, [HireDate] = @HireDate, [Address] = @Address, [PhoneNo] = @PhoneNo, [Country] = @Country, [EmailAddress] = @EmailAddress, [Picture] = @Picture WHERE (([EmployeeID] = @Original_EmployeeID) AND ([LastName] = @Original_LastName) AND ([FirstName] = @Original_FirstName) AND ((@IsNull_Sex = 1 AND [Sex] IS NULL) OR ([Sex] = @Original_Sex)) AND ((@IsNull_JobID = 1 AND [JobID] IS NULL) OR ([JobID] = @Original_JobID)) AND ((@IsNull_BirthDate = 1 AND [BirthDate] IS NULL) OR ([BirthDate] = @Original_BirthDate)) AND ((@IsNull_HireDate = 1 AND [HireDate] IS NULL) OR ([HireDate] = @Original_HireDate)) AND ((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_PhoneNo = 1 AND [PhoneNo] IS NULL) OR ([PhoneNo] = @Original_PhoneNo)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ((@IsNull_EmailAddress = 1 AND [EmailAddress] IS NULL) OR ([EmailAddress] = @Original_EmailAddress)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [ShopInfo] SET [ShopName] = @ShopName, [Telephone] = @Telephone, [OwnerName] = @OwnerName, [Location] = @Location, [Email] = @Email, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([ShopName] = @Original_ShopName) AND ([Telephone] = @Original_Telephone) AND ((@IsNull_OwnerName = 1 AND [OwnerName] IS NULL) OR ([OwnerName] = @Original_OwnerName)) AND ([Location] = @Original_Location) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [ExpiryDates] ([ProductID], [Quantity], [ExpiryDate], [OrderDetailsID]) VALUES (@ProductID, @Quantity, @ExpiryDate, @OrderDetailsID);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [sales] SET [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [SalesDate] = @SalesDate, [SalesTime] = @SalesTime, [PaymentType] = @PaymentType, [TotalAmount] = @TotalAmount, [PriceOffset] = @PriceOffset, [SaleType] = @SaleType WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ([SalesDate] = @Original_SalesDate) AND ([SalesTime] = @Original_SalesTime) AND ((@IsNull_PaymentType = 1 AND [PaymentType] IS NULL) OR ([PaymentType] = @Original_PaymentType)) AND ([TotalAmount] = @Original_TotalAmount) AND ((@IsNull_PriceOffset = 1 AND [PriceOffset] IS NULL) OR ([PriceOffset] = @Original_PriceOffset)) AND ((@IsNull_SaleType = 1 AND [SaleType] IS NULL) OR ([SaleType] = @Original_SaleType)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[orderdetails] ([OrderID], [ProductID], [UnitPrice], [Quantity], [Discount], [ExpiryDate]) VALUES (@OrderID, @ProductID, @UnitPrice, @Quantity, @Discount, @ExpiryDate);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [company_orders] SET [SubplierID] = @SubplierID, [EmployeeID] = @EmployeeID, [OrderDate] = @OrderDate, [RequiredDate] = @RequiredDate, [TotalAmount] = @TotalAmount WHERE (([OrderID] = @Original_OrderID) AND ((@IsNull_SubplierID = 1 AND [SubplierID] IS NULL) OR ([SubplierID] = @Original_SubplierID)) AND ([EmployeeID] = @Original_EmployeeID) AND ([OrderDate] = @Original_OrderDate) AND ((@IsNull_RequiredDate = 1 AND [RequiredDate] IS NULL) OR ([RequiredDate] = @Original_RequiredDate)) AND ((@IsNull_TotalAmount = 1 AND [TotalAmount] IS NULL) OR ([TotalAmount] = @Original_TotalAmount)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [Location] ([LocationName], [Description]) VALUES (@LocationName, @Description); SELECT LocationID, LocationName, Desc
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [salesdetails] SET [SalesID] = @SalesID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount WHERE (([SalesID] = @Original_SalesID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ((@IsNull_Discount = 1 AND [Discount] IS NULL) OR ([Discount] = @Original_Discount)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [ExpenseType] ([TypeName], [Description], [CreatedBy], [CreatedDate], [ModifiedBy], [ModifiedDate]) VALUES (@TypeName, @Description, @CreatedBy, @CreatedDate, @ModifiedBy, @ModifiedDate);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: UPDATE userstbl SET Passwd = @Passwd WHERE (Userid = @Userid);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [suppliers] ([CompanyName], [ContactName], [Address], [Country], [PhoneNO], [Fax], [HomePage], [EmailAddress]) VALUES (@CompanyName, @ContactName, @Address, @Country, @PhoneNO, @Fax, @HomePage, @EmailAddress);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture); SELECT Categ
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[Jobs] SET [JobName] = @JobName, [Description] = @Description WHERE (([JobID] = @Original_JobID) AND ((@IsNull_JobName = 1 AND [JobName] IS NULL) OR ([JobName] = @Original_JobName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));

Source: pd9EeXdsQtNb3dQ.exe	Virustotal: Detection: 14%
Source: pd9EeXdsQtNb3dQ.exe	ReversingLabs: Detection: 51%

Source: pd9EeXdsQtNb3dQ.exe

String found in binary or memory: About9HelpToolStripMenuItem1.Image-HelpToolStripMenuItem1

Source: unknown	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe 'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe'
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pd9EeXdsQtNb3dQ.exe

Static file information: File size 2330624 > 1048576

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x234a00

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533659D push esp; ret	0_2_053365A1
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533642B push ebp; ret	0_2_0533642C
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05336461 push ebp; ret	0_2_05336465
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053364FF push esp; ret	0_2_05336503
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053364EC push ebp; ret	0_2_053364ED
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533663E push ebx; ret	0_2_0533663F
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053366BD push ebx; ret	0_2_053366C7
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053366FF push edx; ret	0_2_05336700
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05336977 push eax; ret	0_2_0533697E
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05335974 pushad ; ret	0_2_05335975
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05336947 push ecx; ret	0_2_0533694E
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053369AE push eax; ret	0_2_053369B0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053380E4 push 3400035Eh; ret	0_2_053380E9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053368EC push ecx; ret	0_2_053368F3
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533639B push esi; ret	0_2_053363A4
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533629F push edi; ret	0_2_053362A9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7CA9 push D0456990h; iretd	0_2_059E7CAE
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E6639 push D0456990h; iretd	0_2_059E663E
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C7A37 push edi; retn 0000h	3_2_013C7A39
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141011E push ds; retf	3_2_0141011F
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141CBC2 push 8BFFFFFFh; retf	3_2_0141CBC8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141F270 push esp; iretd	3_2_0141F271

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 0_2_05330A73 rdtsc

0_2_05330A73

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Window / User API: threadDelayed 666			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Window / User API: threadDelayed 9153			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6476	Thread sleep time: -101282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868	Thread sleep count: 666 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868	Thread sleep count: 9153 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864	Thread sleep count: 40 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 101282	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 0_2_05330A73 rdtsc

0_2_05330A73

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 3_2_013CC538 LdrInitializeThunk,

3_2_013CC538

Enables debug privileges

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Memory written: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe			Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.70.204.222	iykmoreentrprise.org	Canada		16276	OVHFR	true

Contacted Domains

Name	IP	Active
iykmoreentrprise.org	66.70.204.222	true
mail.iykmoreentrprise.org	unknown	unknown

AV Detection:

Found malware configuration

Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office5@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Multi AV Scanner detection for submitted file

Source: pd9EeXdsQtNb3dQ.exe	Virustotal: Detection: 14%			Perma Link
Source: pd9EeXdsQtNb3dQ.exe	ReversingLabs: Detection: 51%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_059ED9A0

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587

Source: unknown

DNS traffic detected: queries for: mail.iykmoreentrprise.org

Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: http://DXvqav.com
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://iykmoreentrprise.org
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmp	String found in binary or memory: http://mail.iykmoreentrprise.org
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pd9EeXdsQtNb3dQ.exe	String found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd
Source: pd9EeXdsQtNb3dQ.exe	String found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588834930.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://NtZtA8FE2WmoFQd.com
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533F968	0_2_0533F968
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533E048	0_2_0533E048
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533EA68	0_2_0533EA68
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533E520	0_2_0533E520
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05338DC0	0_2_05338DC0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533CC40	0_2_0533CC40
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533D7E0	0_2_0533D7E0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053329B0	0_2_053329B0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053329A0	0_2_053329A0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053331F8	0_2_053331F8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E21C8	0_2_059E21C8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E2D68	0_2_059E2D68
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059EE3D8	0_2_059EE3D8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E21BA	0_2_059E21BA
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E69F5	0_2_059E69F5
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E0908	0_2_059E0908
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E0906	0_2_059E0906
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1D38	0_2_059E1D38
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1D28	0_2_059E1D28
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E2CB9	0_2_059E2CB9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7808	0_2_059E7808
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E63CD	0_2_059E63CD
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E77F9	0_2_059E77F9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E93F0	0_2_059E93F0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7310	0_2_059E7310
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1B30	0_2_059E1B30
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7320	0_2_059E7320
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E1B20	0_2_059E1B20
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7AE8	0_2_059E7AE8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0135B998	3_2_0135B998
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0135972D	3_2_0135972D
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01355700	3_2_01355700
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01356960	3_2_01356960
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C2020	3_2_013C2020
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CAB70	3_2_013CAB70
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C2F6D	3_2_013C2F6D
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C2618	3_2_013C2618
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CB668	3_2_013CB668
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CF117	3_2_013CF117
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013CDBF8	3_2_013CDBF8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01418388	3_2_01418388
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01413A78	3_2_01413A78
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01416288	3_2_01416288
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01419460	3_2_01419460
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141E650	3_2_0141E650
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141613A	3_2_0141613A
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141E260	3_2_0141E260
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_01415620	3_2_01415620

PE file contains strange resources

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000000.317330341.0000000000568000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000002.00000002.327814127.0000000000568000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328988968.0000000000CC8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.584799956.0000000001420000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585395067.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.583993167.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs pd9EeXdsQtNb3dQ.exe
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe

Uses 32bit PE files

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/1

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pd9EeXdsQtNb3dQ.exe.log

Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [creditors] SET [OrderID] = @OrderID, [SupplierID] = @SupplierID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([OrderID] = @Original_OrderID) AND ([SupplierID] = @Original_SupplierID) AND ([EmployeeID] = @Original_EmployeeID) AND ([AmountDue] = @Original_AmountDue) AND ([CompletePayments] = @Original_CompletePayments));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [ExpenseType] SET [TypeName] = @TypeName, [Description] = @Description, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([TypeName] = @Original_TypeName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus); SELECT GroupID
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText); SELECT menuID, menuName, menuText FROM tblMenu
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [products] ([ProductCode], [ProductName], [CategoryID], [UnitPrice], [UnitsInStock], [ReorderLevel], [Discontinued], [Description], [LocationID], [Discount], [WHUnitPrice], [AvgCost]) VALUES (@ProductCode, @ProductName, @CategoryID, @UnitPrice, @UnitsInStock, @ReorderLevel, @Discontinued, @Description, @LocationID, @Discount, @WHUnitPrice, @AvgCost);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [ExpiryDates] SET [ProductID] = @ProductID, [Quantity] = @Quantity, [ExpiryDate] = @ExpiryDate, [OrderDetailsID] = @OrderDetailsID WHERE (([ExpiryDateID] = @Original_ExpiryDateID) AND ([ProductID] = @Original_ProductID) AND ([Quantity] = @Original_Quantity) AND ([ExpiryDate] = @Original_ExpiryDate) AND ([OrderDetailsID] = @Original_OrderDetailsID));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID); SELEC
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [sales] ([CustomerID], [EmployeeID], [SalesDate], [SalesTime], [PaymentType], [TotalAmount], [PriceOffset], [SaleType]) VALUES (@CustomerID, @EmployeeID, @SalesDate, @SalesTime, @PaymentType, @TotalAmount, @PriceOffset, @SaleType);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[Employees] ([LastName], [FirstName], [Sex], [JobID], [BirthDate], [HireDate], [Address], [PhoneNo], [Country], [EmailAddress], [Picture]) VALUES (@LastName, @FirstName, @Sex, @JobID, @BirthDate, @HireDate, @Address, @PhoneNo, @Country, @EmailAddress, @Picture);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [usergroups] SET [GroupName] = @GroupName, [Description] = @Description, [GroupMenus] = @GroupMenus WHERE (([GroupID] = @Original_GroupID) AND ([GroupName] = @Original_GroupName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [products] SET [ProductCode] = @ProductCode, [ProductName] = @ProductName, [CategoryID] = @CategoryID, [UnitPrice] = @UnitPrice, [UnitsInStock] = @UnitsInStock, [ReorderLevel] = @ReorderLevel, [Discontinued] = @Discontinued, [Description] = @Description, [LocationID] = @LocationID, [Discount] = @Discount, [WHUnitPrice] = @WHUnitPrice, [AvgCost] = @AvgCost WHERE (([ProductID] = @Original_ProductID) AND ((@IsNull_ProductCode = 1 AND [ProductCode] IS NULL) OR ([ProductCode] = @Original_ProductCode)) AND ([ProductName] = @Original_ProductName) AND ([CategoryID] = @Original_CategoryID) AND ([UnitPrice] = @Original_UnitPrice) AND ([UnitsInStock] = @Original_UnitsInStock) AND ((@IsNull_ReorderLevel = 1 AND [ReorderLevel] IS NULL) OR ([ReorderLevel] = @Original_ReorderLevel)) AND ((@IsNull_Discontinued = 1 AND [Discontinued] IS NULL) OR ([Discontinued] = @Original_Discontinued)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_LocationID = 1 AND [LocationID] IS NULL) OR ([LocationID] = @Original_LocationID)) AND ([Discount] = @Original_Discount) AND ((@IsNull_WHUnitPrice = 1 AND [WHUnitPrice] IS NULL) OR ([WHUnitPrice] = @Original_WHUnitPrice)) AND ((@IsNull_AvgCost = 1 AND [AvgCost] IS NULL) OR ([AvgCost] = @Original_AvgCost)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[orderdetails] SET [OrderID] = @OrderID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount, [ExpiryDate] = @ExpiryDate WHERE (([OrderID] = @Original_OrderID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ([Discount] = @Original_Discount) AND ((@IsNull_ExpiryDate = 1 AND [ExpiryDate] IS NULL) OR ([ExpiryDate] = @Original_ExpiryDate)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[categories] SET [CateryName] = @CateryName, [Description] = @Description, [Picture] = @Picture WHERE (([CategoryID] = @Original_CategoryID) AND ((@IsNull_CateryName = 1 AND [CateryName] IS NULL) OR ([CateryName] = @Original_CateryName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[customers] ([CompanyName], [ContactName], [ContactTitle], [Address], [Country], [PhoneNo], [EmailAddress]) VALUES (@CompanyName, @ContactName, @ContactTitle, @Address, @Country, @PhoneNo, @EmailAddress);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [Debtors] SET [SalesID] = @SalesID, [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ((@IsNull_AmountDue = 1 AND [AmountDue] IS NULL) OR ([AmountDue] = @Original_AmountDue)) AND ((@IsNull_CompletePayments = 1 AND [CompletePayments] IS NULL) OR ([CompletePayments] = @Original_CompletePayments)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[Jobs] ([JobName], [Description]) VALUES (@JobName, @Description); SELECT JobID, JobName, Description FROM Jobs
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[Employees] SET [LastName] = @LastName, [FirstName] = @FirstName, [Sex] = @Sex, [JobID] = @JobID, [BirthDate] = @BirthDate, [HireDate] = @HireDate, [Address] = @Address, [PhoneNo] = @PhoneNo, [Country] = @Country, [EmailAddress] = @EmailAddress, [Picture] = @Picture WHERE (([EmployeeID] = @Original_EmployeeID) AND ([LastName] = @Original_LastName) AND ([FirstName] = @Original_FirstName) AND ((@IsNull_Sex = 1 AND [Sex] IS NULL) OR ([Sex] = @Original_Sex)) AND ((@IsNull_JobID = 1 AND [JobID] IS NULL) OR ([JobID] = @Original_JobID)) AND ((@IsNull_BirthDate = 1 AND [BirthDate] IS NULL) OR ([BirthDate] = @Original_BirthDate)) AND ((@IsNull_HireDate = 1 AND [HireDate] IS NULL) OR ([HireDate] = @Original_HireDate)) AND ((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_PhoneNo = 1 AND [PhoneNo] IS NULL) OR ([PhoneNo] = @Original_PhoneNo)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ((@IsNull_EmailAddress = 1 AND [EmailAddress] IS NULL) OR ([EmailAddress] = @Original_EmailAddress)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [ShopInfo] SET [ShopName] = @ShopName, [Telephone] = @Telephone, [OwnerName] = @OwnerName, [Location] = @Location, [Email] = @Email, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([ShopName] = @Original_ShopName) AND ([Telephone] = @Original_Telephone) AND ((@IsNull_OwnerName = 1 AND [OwnerName] IS NULL) OR ([OwnerName] = @Original_OwnerName)) AND ([Location] = @Original_Location) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [ExpiryDates] ([ProductID], [Quantity], [ExpiryDate], [OrderDetailsID]) VALUES (@ProductID, @Quantity, @ExpiryDate, @OrderDetailsID);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [sales] SET [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [SalesDate] = @SalesDate, [SalesTime] = @SalesTime, [PaymentType] = @PaymentType, [TotalAmount] = @TotalAmount, [PriceOffset] = @PriceOffset, [SaleType] = @SaleType WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ([SalesDate] = @Original_SalesDate) AND ([SalesTime] = @Original_SalesTime) AND ((@IsNull_PaymentType = 1 AND [PaymentType] IS NULL) OR ([PaymentType] = @Original_PaymentType)) AND ([TotalAmount] = @Original_TotalAmount) AND ((@IsNull_PriceOffset = 1 AND [PriceOffset] IS NULL) OR ([PriceOffset] = @Original_PriceOffset)) AND ((@IsNull_SaleType = 1 AND [SaleType] IS NULL) OR ([SaleType] = @Original_SaleType)));
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [dbo].[orderdetails] ([OrderID], [ProductID], [UnitPrice], [Quantity], [Discount], [ExpiryDate]) VALUES (@OrderID, @ProductID, @UnitPrice, @Quantity, @Discount, @ExpiryDate);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [company_orders] SET [SubplierID] = @SubplierID, [EmployeeID] = @EmployeeID, [OrderDate] = @OrderDate, [RequiredDate] = @RequiredDate, [TotalAmount] = @TotalAmount WHERE (([OrderID] = @Original_OrderID) AND ((@IsNull_SubplierID = 1 AND [SubplierID] IS NULL) OR ([SubplierID] = @Original_SubplierID)) AND ([EmployeeID] = @Original_EmployeeID) AND ([OrderDate] = @Original_OrderDate) AND ((@IsNull_RequiredDate = 1 AND [RequiredDate] IS NULL) OR ([RequiredDate] = @Original_RequiredDate)) AND ((@IsNull_TotalAmount = 1 AND [TotalAmount] IS NULL) OR ([TotalAmount] = @Original_TotalAmount)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [Location] ([LocationName], [Description]) VALUES (@LocationName, @Description); SELECT LocationID, LocationName, Desc
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [salesdetails] SET [SalesID] = @SalesID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount WHERE (([SalesID] = @Original_SalesID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ((@IsNull_Discount = 1 AND [Discount] IS NULL) OR ([Discount] = @Original_Discount)));
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [ExpenseType] ([TypeName], [Description], [CreatedBy], [CreatedDate], [ModifiedBy], [ModifiedDate]) VALUES (@TypeName, @Description, @CreatedBy, @CreatedDate, @ModifiedBy, @ModifiedDate);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: UPDATE userstbl SET Passwd = @Passwd WHERE (Userid = @Userid);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [suppliers] ([CompanyName], [ContactName], [Address], [Country], [PhoneNO], [Fax], [HomePage], [EmailAddress]) VALUES (@CompanyName, @ContactName, @Address, @Country, @PhoneNO, @Fax, @HomePage, @EmailAddress);
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: pd9EeXdsQtNb3dQ.exe	Binary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture); SELECT Categ
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: UPDATE [dbo].[Jobs] SET [JobName] = @JobName, [Description] = @Description WHERE (([JobID] = @Original_JobID) AND ((@IsNull_JobName = 1 AND [JobName] IS NULL) OR ([JobName] = @Original_JobName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));

Source: pd9EeXdsQtNb3dQ.exe	Virustotal: Detection: 14%
Source: pd9EeXdsQtNb3dQ.exe	ReversingLabs: Detection: 51%

Source: pd9EeXdsQtNb3dQ.exe

String found in binary or memory: About9HelpToolStripMenuItem1.Image-HelpToolStripMenuItem1

Source: unknown	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe 'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe'
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pd9EeXdsQtNb3dQ.exe

Static file information: File size 2330624 > 1048576

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x234a00

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: pd9EeXdsQtNb3dQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533659D push esp; ret	0_2_053365A1
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533642B push ebp; ret	0_2_0533642C
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05336461 push ebp; ret	0_2_05336465
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053364FF push esp; ret	0_2_05336503
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053364EC push ebp; ret	0_2_053364ED
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533663E push ebx; ret	0_2_0533663F
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053366BD push ebx; ret	0_2_053366C7
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053366FF push edx; ret	0_2_05336700
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05336977 push eax; ret	0_2_0533697E
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05335974 pushad ; ret	0_2_05335975
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_05336947 push ecx; ret	0_2_0533694E
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053369AE push eax; ret	0_2_053369B0
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053380E4 push 3400035Eh; ret	0_2_053380E9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_053368EC push ecx; ret	0_2_053368F3
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533639B push esi; ret	0_2_053363A4
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_0533629F push edi; ret	0_2_053362A9
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E7CA9 push D0456990h; iretd	0_2_059E7CAE
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 0_2_059E6639 push D0456990h; iretd	0_2_059E663E
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_013C7A37 push edi; retn 0000h	3_2_013C7A39
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141011E push ds; retf	3_2_0141011F
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141CBC2 push 8BFFFFFFh; retf	3_2_0141CBC8
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Code function: 3_2_0141F270 push esp; iretd	3_2_0141F271

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 0_2_05330A73 rdtsc

0_2_05330A73

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Window / User API: threadDelayed 666			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Window / User API: threadDelayed 9153			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6476	Thread sleep time: -101282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868	Thread sleep count: 666 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868	Thread sleep count: 9153 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864	Thread sleep count: 40 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 101282	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 0_2_05330A73 rdtsc

0_2_05330A73

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Code function: 3_2_013CC538 LdrInitializeThunk,

3_2_013CC538

Enables debug privileges

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Memory written: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Process created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe			Jump to behavior

Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
Source: Yara match	File source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE

ID:	404170
Product:	CloudBasic
Start time:	19:12:16
Start date:	04.05.2021
Sample:	pd9EeXdsQtNb3dQ.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3dad3d4918e28ded77c3e2e93a42665f
SHA1:	8b16dba4992b75a303f63a09d8a41ac99f28ce5c
SHA256:	1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report pd9EeXdsQtNb3dQ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains