Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report pd9EeXdsQtNb3dQ.exe

Overview

General Information

Sample Name:pd9EeXdsQtNb3dQ.exe
Analysis ID:404170
MD5:3dad3d4918e28ded77c3e2e93a42665f
SHA1:8b16dba4992b75a303f63a09d8a41ac99f28ce5c
SHA256:1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • pd9EeXdsQtNb3dQ.exe (PID: 6472 cmdline: 'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe' MD5: 3DAD3D4918E28DED77C3E2E93A42665F)
    • pd9EeXdsQtNb3dQ.exe (PID: 6620 cmdline: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe MD5: 3DAD3D4918E28DED77C3E2E93A42665F)
    • pd9EeXdsQtNb3dQ.exe (PID: 6636 cmdline: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe MD5: 3DAD3D4918E28DED77C3E2E93A42665F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "office5@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office5@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: pd9EeXdsQtNb3dQ.exeVirustotal: Detection: 14%Perma Link
                  Source: pd9EeXdsQtNb3dQ.exeReversingLabs: Detection: 51%
                  Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_059ED9A0
                  Source: global trafficTCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587
                  Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587
                  Source: unknownDNS traffic detected: queries for: mail.iykmoreentrprise.org
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: http://DXvqav.com
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://iykmoreentrprise.org
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://mail.iykmoreentrprise.org
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: pd9EeXdsQtNb3dQ.exeString found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd
                  Source: pd9EeXdsQtNb3dQ.exeString found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588834930.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://NtZtA8FE2WmoFQd.com
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533F9680_2_0533F968
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533E0480_2_0533E048
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533EA680_2_0533EA68
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533E5200_2_0533E520
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05338DC00_2_05338DC0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533CC400_2_0533CC40
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533D7E00_2_0533D7E0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053329B00_2_053329B0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053329A00_2_053329A0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053331F80_2_053331F8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E21C80_2_059E21C8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E2D680_2_059E2D68
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059EE3D80_2_059EE3D8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E21BA0_2_059E21BA
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E69F50_2_059E69F5
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E09080_2_059E0908
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E09060_2_059E0906
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1D380_2_059E1D38
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1D280_2_059E1D28
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E2CB90_2_059E2CB9
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E78080_2_059E7808
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E63CD0_2_059E63CD
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E77F90_2_059E77F9
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E93F00_2_059E93F0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E73100_2_059E7310
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1B300_2_059E1B30
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E73200_2_059E7320
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1B200_2_059E1B20
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7AE80_2_059E7AE8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0135B9983_2_0135B998
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0135972D3_2_0135972D
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013557003_2_01355700
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013569603_2_01356960
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C20203_2_013C2020
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CAB703_2_013CAB70
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C2F6D3_2_013C2F6D
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C26183_2_013C2618
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CB6683_2_013CB668
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CF1173_2_013CF117
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CDBF83_2_013CDBF8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_014183883_2_01418388
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01413A783_2_01413A78
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_014162883_2_01416288
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_014194603_2_01419460
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141E6503_2_0141E650
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141613A3_2_0141613A
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141E2603_2_0141E260
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_014156203_2_01415620
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000000.317330341.0000000000568000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000002.00000002.327814127.0000000000568000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328988968.0000000000CC8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.584799956.0000000001420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585395067.00000000014F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.583993167.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pd9EeXdsQtNb3dQ.exe.logJump to behavior
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [creditors] SET [OrderID] = @OrderID, [SupplierID] = @SupplierID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([OrderID] = @Original_OrderID) AND ([SupplierID] = @Original_SupplierID) AND ([EmployeeID] = @Original_EmployeeID) AND ([AmountDue] = @Original_AmountDue) AND ([CompletePayments] = @Original_CompletePayments));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [ExpenseType] SET [TypeName] = @TypeName, [Description] = @Description, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([TypeName] = @Original_TypeName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus); SELECT GroupID
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText); SELECT menuID, menuName, menuText FROM tblMenu
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [products] ([ProductCode], [ProductName], [CategoryID], [UnitPrice], [UnitsInStock], [ReorderLevel], [Discontinued], [Description], [LocationID], [Discount], [WHUnitPrice], [AvgCost]) VALUES (@ProductCode, @ProductName, @CategoryID, @UnitPrice, @UnitsInStock, @ReorderLevel, @Discontinued, @Description, @LocationID, @Discount, @WHUnitPrice, @AvgCost);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [ExpiryDates] SET [ProductID] = @ProductID, [Quantity] = @Quantity, [ExpiryDate] = @ExpiryDate, [OrderDetailsID] = @OrderDetailsID WHERE (([ExpiryDateID] = @Original_ExpiryDateID) AND ([ProductID] = @Original_ProductID) AND ([Quantity] = @Original_Quantity) AND ([ExpiryDate] = @Original_ExpiryDate) AND ([OrderDetailsID] = @Original_OrderDetailsID));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID); SELEC
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [sales] ([CustomerID], [EmployeeID], [SalesDate], [SalesTime], [PaymentType], [TotalAmount], [PriceOffset], [SaleType]) VALUES (@CustomerID, @EmployeeID, @SalesDate, @SalesTime, @PaymentType, @TotalAmount, @PriceOffset, @SaleType);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Employees] ([LastName], [FirstName], [Sex], [JobID], [BirthDate], [HireDate], [Address], [PhoneNo], [Country], [EmailAddress], [Picture]) VALUES (@LastName, @FirstName, @Sex, @JobID, @BirthDate, @HireDate, @Address, @PhoneNo, @Country, @EmailAddress, @Picture);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [usergroups] SET [GroupName] = @GroupName, [Description] = @Description, [GroupMenus] = @GroupMenus WHERE (([GroupID] = @Original_GroupID) AND ([GroupName] = @Original_GroupName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [products] SET [ProductCode] = @ProductCode, [ProductName] = @ProductName, [CategoryID] = @CategoryID, [UnitPrice] = @UnitPrice, [UnitsInStock] = @UnitsInStock, [ReorderLevel] = @ReorderLevel, [Discontinued] = @Discontinued, [Description] = @Description, [LocationID] = @LocationID, [Discount] = @Discount, [WHUnitPrice] = @WHUnitPrice, [AvgCost] = @AvgCost WHERE (([ProductID] = @Original_ProductID) AND ((@IsNull_ProductCode = 1 AND [ProductCode] IS NULL) OR ([ProductCode] = @Original_ProductCode)) AND ([ProductName] = @Original_ProductName) AND ([CategoryID] = @Original_CategoryID) AND ([UnitPrice] = @Original_UnitPrice) AND ([UnitsInStock] = @Original_UnitsInStock) AND ((@IsNull_ReorderLevel = 1 AND [ReorderLevel] IS NULL) OR ([ReorderLevel] = @Original_ReorderLevel)) AND ((@IsNull_Discontinued = 1 AND [Discontinued] IS NULL) OR ([Discontinued] = @Original_Discontinued)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_LocationID = 1 AND [LocationID] IS NULL) OR ([LocationID] = @Original_LocationID)) AND ([Discount] = @Original_Discount) AND ((@IsNull_WHUnitPrice = 1 AND [WHUnitPrice] IS NULL) OR ([WHUnitPrice] = @Original_WHUnitPrice)) AND ((@IsNull_AvgCost = 1 AND [AvgCost] IS NULL) OR ([AvgCost] = @Original_AvgCost)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[orderdetails] SET [OrderID] = @OrderID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount, [ExpiryDate] = @ExpiryDate WHERE (([OrderID] = @Original_OrderID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ([Discount] = @Original_Discount) AND ((@IsNull_ExpiryDate = 1 AND [ExpiryDate] IS NULL) OR ([ExpiryDate] = @Original_ExpiryDate)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[categories] SET [CateryName] = @CateryName, [Description] = @Description, [Picture] = @Picture WHERE (([CategoryID] = @Original_CategoryID) AND ((@IsNull_CateryName = 1 AND [CateryName] IS NULL) OR ([CateryName] = @Original_CateryName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[customers] ([CompanyName], [ContactName], [ContactTitle], [Address], [Country], [PhoneNo], [EmailAddress]) VALUES (@CompanyName, @ContactName, @ContactTitle, @Address, @Country, @PhoneNo, @EmailAddress);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [Debtors] SET [SalesID] = @SalesID, [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ((@IsNull_AmountDue = 1 AND [AmountDue] IS NULL) OR ([AmountDue] = @Original_AmountDue)) AND ((@IsNull_CompletePayments = 1 AND [CompletePayments] IS NULL) OR ([CompletePayments] = @Original_CompletePayments)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[Jobs] ([JobName], [Description]) VALUES (@JobName, @Description); SELECT JobID, JobName, Description FROM Jobs
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Employees] SET [LastName] = @LastName, [FirstName] = @FirstName, [Sex] = @Sex, [JobID] = @JobID, [BirthDate] = @BirthDate, [HireDate] = @HireDate, [Address] = @Address, [PhoneNo] = @PhoneNo, [Country] = @Country, [EmailAddress] = @EmailAddress, [Picture] = @Picture WHERE (([EmployeeID] = @Original_EmployeeID) AND ([LastName] = @Original_LastName) AND ([FirstName] = @Original_FirstName) AND ((@IsNull_Sex = 1 AND [Sex] IS NULL) OR ([Sex] = @Original_Sex)) AND ((@IsNull_JobID = 1 AND [JobID] IS NULL) OR ([JobID] = @Original_JobID)) AND ((@IsNull_BirthDate = 1 AND [BirthDate] IS NULL) OR ([BirthDate] = @Original_BirthDate)) AND ((@IsNull_HireDate = 1 AND [HireDate] IS NULL) OR ([HireDate] = @Original_HireDate)) AND ((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_PhoneNo = 1 AND [PhoneNo] IS NULL) OR ([PhoneNo] = @Original_PhoneNo)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ((@IsNull_EmailAddress = 1 AND [EmailAddress] IS NULL) OR ([EmailAddress] = @Original_EmailAddress)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [ShopInfo] SET [ShopName] = @ShopName, [Telephone] = @Telephone, [OwnerName] = @OwnerName, [Location] = @Location, [Email] = @Email, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([ShopName] = @Original_ShopName) AND ([Telephone] = @Original_Telephone) AND ((@IsNull_OwnerName = 1 AND [OwnerName] IS NULL) OR ([OwnerName] = @Original_OwnerName)) AND ([Location] = @Original_Location) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [ExpiryDates] ([ProductID], [Quantity], [ExpiryDate], [OrderDetailsID]) VALUES (@ProductID, @Quantity, @ExpiryDate, @OrderDetailsID);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [sales] SET [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [SalesDate] = @SalesDate, [SalesTime] = @SalesTime, [PaymentType] = @PaymentType, [TotalAmount] = @TotalAmount, [PriceOffset] = @PriceOffset, [SaleType] = @SaleType WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ([SalesDate] = @Original_SalesDate) AND ([SalesTime] = @Original_SalesTime) AND ((@IsNull_PaymentType = 1 AND [PaymentType] IS NULL) OR ([PaymentType] = @Original_PaymentType)) AND ([TotalAmount] = @Original_TotalAmount) AND ((@IsNull_PriceOffset = 1 AND [PriceOffset] IS NULL) OR ([PriceOffset] = @Original_PriceOffset)) AND ((@IsNull_SaleType = 1 AND [SaleType] IS NULL) OR ([SaleType] = @Original_SaleType)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[orderdetails] ([OrderID], [ProductID], [UnitPrice], [Quantity], [Discount], [ExpiryDate]) VALUES (@OrderID, @ProductID, @UnitPrice, @Quantity, @Discount, @ExpiryDate);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [company_orders] SET [SubplierID] = @SubplierID, [EmployeeID] = @EmployeeID, [OrderDate] = @OrderDate, [RequiredDate] = @RequiredDate, [TotalAmount] = @TotalAmount WHERE (([OrderID] = @Original_OrderID) AND ((@IsNull_SubplierID = 1 AND [SubplierID] IS NULL) OR ([SubplierID] = @Original_SubplierID)) AND ([EmployeeID] = @Original_EmployeeID) AND ([OrderDate] = @Original_OrderDate) AND ((@IsNull_RequiredDate = 1 AND [RequiredDate] IS NULL) OR ([RequiredDate] = @Original_RequiredDate)) AND ((@IsNull_TotalAmount = 1 AND [TotalAmount] IS NULL) OR ([TotalAmount] = @Original_TotalAmount)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [Location] ([LocationName], [Description]) VALUES (@LocationName, @Description); SELECT LocationID, LocationName, Desc
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [salesdetails] SET [SalesID] = @SalesID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount WHERE (([SalesID] = @Original_SalesID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ((@IsNull_Discount = 1 AND [Discount] IS NULL) OR ([Discount] = @Original_Discount)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [ExpenseType] ([TypeName], [Description], [CreatedBy], [CreatedDate], [ModifiedBy], [ModifiedDate]) VALUES (@TypeName, @Description, @CreatedBy, @CreatedDate, @ModifiedBy, @ModifiedDate);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: UPDATE userstbl SET Passwd = @Passwd WHERE (Userid = @Userid);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [suppliers] ([CompanyName], [ContactName], [Address], [Country], [PhoneNO], [Fax], [HomePage], [EmailAddress]) VALUES (@CompanyName, @ContactName, @Address, @Country, @PhoneNO, @Fax, @HomePage, @EmailAddress);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture); SELECT Categ
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Jobs] SET [JobName] = @JobName, [Description] = @Description WHERE (([JobID] = @Original_JobID) AND ((@IsNull_JobName = 1 AND [JobName] IS NULL) OR ([JobName] = @Original_JobName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
                  Source: pd9EeXdsQtNb3dQ.exeVirustotal: Detection: 14%
                  Source: pd9EeXdsQtNb3dQ.exeReversingLabs: Detection: 51%
                  Source: pd9EeXdsQtNb3dQ.exeString found in binary or memory: About9HelpToolStripMenuItem1.Image-HelpToolStripMenuItem1
                  Source: unknownProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe 'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe'
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: pd9EeXdsQtNb3dQ.exeStatic file information: File size 2330624 > 1048576
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x234a00
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533659D push esp; ret 0_2_053365A1
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533642B push ebp; ret 0_2_0533642C
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05336461 push ebp; ret 0_2_05336465
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053364FF push esp; ret 0_2_05336503
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053364EC push ebp; ret 0_2_053364ED
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533663E push ebx; ret 0_2_0533663F
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053366BD push ebx; ret 0_2_053366C7
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053366FF push edx; ret 0_2_05336700
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05336977 push eax; ret 0_2_0533697E
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05335974 pushad ; ret 0_2_05335975
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05336947 push ecx; ret 0_2_0533694E
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053369AE push eax; ret 0_2_053369B0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053380E4 push 3400035Eh; ret 0_2_053380E9
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053368EC push ecx; ret 0_2_053368F3
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533639B push esi; ret 0_2_053363A4
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533629F push edi; ret 0_2_053362A9
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7CA9 push D0456990h; iretd 0_2_059E7CAE
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E6639 push D0456990h; iretd 0_2_059E663E
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C7A37 push edi; retn 0000h3_2_013C7A39
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141011E push ds; retf 3_2_0141011F
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141CBC2 push 8BFFFFFFh; retf 3_2_0141CBC8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141F270 push esp; iretd 3_2_0141F271
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05330A73 rdtsc 0_2_05330A73
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWindow / User API: threadDelayed 666Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWindow / User API: threadDelayed 9153Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6476Thread sleep time: -101282s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868Thread sleep count: 666 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868Thread sleep count: 9153 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864Thread sleep count: 40 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 101282Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05330A73 rdtsc 0_2_05330A73
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CC538 LdrInitializeThunk,3_2_013CC538
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeMemory written: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeJump to behavior
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  pd9EeXdsQtNb3dQ.exe14%VirustotalBrowse
                  pd9EeXdsQtNb3dQ.exe52%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://NtZtA8FE2WmoFQd.com0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://DXvqav.com0%Avira URL Cloudsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope0%Avira URL Cloudsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://mail.iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://tempuri.org/Shops_DBDataSet.xsd0%Avira URL Cloudsafe
                  https://api.ipify.org%$0%Avira URL Cloudsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iykmoreentrprise.org
                  		66.70.204.222
                  		truetrue
                    		unknown
                    mail.iykmoreentrprise.org
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://iykmoreentrprise.orgpd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://DynDns.comDynDNSpd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://cps.letsencrypt.org0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://NtZtA8FE2WmoFQd.compd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588834930.00000000033C6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hapd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://DXvqav.compd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://r3.o.lencr.org0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPropepd9EeXdsQtNb3dQ.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%GETMozilla/5.0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zippd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csspd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpfalse
                          		high
                          http://mail.iykmoreentrprise.orgpd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Shops_DBDataSet.xsdpd9EeXdsQtNb3dQ.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%$pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://cps.root-x1.letsencrypt.org0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://r3.i.lencr.org/0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          66.70.204.222
                          		iykmoreentrprise.orgCanada
                          		16276OVHFRtrue

                          General Information

                          Joe Sandbox Version:32.0.0 Black Diamond
                          Analysis ID:404170
                          Start date:04.05.2021
                          Start time:19:12:16
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 14s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:pd9EeXdsQtNb3dQ.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 93%
                          • Number of executed functions: 40
                          • Number of non-executed functions: 23
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 92.122.145.220, 13.64.90.137, 104.43.193.48, 2.23.155.184, 2.23.155.241, 2.23.155.219, 2.23.155.240, 20.82.210.154, 92.122.213.247, 92.122.213.194, 205.185.216.10, 205.185.216.42, 52.155.217.156, 20.54.26.129, 23.57.80.111
                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          19:13:04API Interceptor677x Sleep call for process: pd9EeXdsQtNb3dQ.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          66.70.204.222SecuriteInfo.com.W32.MSIL_Troj.ASI.genEldorado.27642.exeGet hashmaliciousBrowse
                            MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                              FFrIJMwrI9cxeIZ.exeGet hashmaliciousBrowse
                                cljz48xwqb2VSBN.exeGet hashmaliciousBrowse
                                  QTY 98657 RFQ MANDATE 020521.0003YDK.exeGet hashmaliciousBrowse
                                    foakTEjUOvL9nBY.exeGet hashmaliciousBrowse
                                      n4QstFh7YkjVcrU.exeGet hashmaliciousBrowse
                                        AVuOP2vLzIMRG88.exeGet hashmaliciousBrowse
                                          316e3796_by_Libranalysis.exeGet hashmaliciousBrowse
                                            GQTY 98657 RFQ MANDATE 28421.02AWYD.exeGet hashmaliciousBrowse
                                              VJNPltkyHyI3CCo.exeGet hashmaliciousBrowse
                                                0L2qr7kJMh40sxq.exeGet hashmaliciousBrowse
                                                  ApuE9QrdQxe7Um6.exeGet hashmaliciousBrowse
                                                    77iET1jNLJyV8ez.exeGet hashmaliciousBrowse
                                                      bOkrXdoYekZPyWI.exeGet hashmaliciousBrowse
                                                        ayZYB5SkqMPA06M.exeGet hashmaliciousBrowse
                                                          fyZ6iHys7ClIHFR.exeGet hashmaliciousBrowse
                                                            uMLNLd9kgPez84h.exeGet hashmaliciousBrowse
                                                              YQfInBo2DDpDfIX.exeGet hashmaliciousBrowse
                                                                ORDER 700198.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  OVHFROutstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                  • 51.89.73.159
                                                                  SecuriteInfo.com.W32.MSIL_Troj.ASI.genEldorado.27642.exeGet hashmaliciousBrowse
                                                                  • 66.70.204.222
                                                                  Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                  • 51.89.73.159
                                                                  Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                  • 51.89.73.159
                                                                  New Order Request_0232147.exeGet hashmaliciousBrowse
                                                                  • 149.202.85.210
                                                                  Transcation03232016646pdf.exeGet hashmaliciousBrowse
                                                                  • 79.137.109.121
                                                                  5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 51.77.73.218
                                                                  MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                                                                  • 66.70.204.222
                                                                  5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 51.77.73.218
                                                                  51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 51.77.73.218
                                                                  51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  d192feb6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pd9EeXdsQtNb3dQ.exe.log
                                                                  Process:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.607400063403851
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:pd9EeXdsQtNb3dQ.exe
                                                                  File size:2330624
                                                                  MD5:3dad3d4918e28ded77c3e2e93a42665f
                                                                  SHA1:8b16dba4992b75a303f63a09d8a41ac99f28ce5c
                                                                  SHA256:1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
                                                                  SHA512:57173561296c538c174c3299ea6b64156c48977d8f958f86f14578d4a630ea80e7b6b890e6d1a21f94a1d556173db442b953b685de910f25d886cdeda88b3132
                                                                  SSDEEP:24576:sPlzZc9mZUzZZE1XcEoLfOo5MkdoG1eJk14kocZmPBDmIO:sPlz2tZauEoL3McoG1gcw3d
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..J#..D.......i#.. ....#...@.. ........................$...........@................................

                                                                  File Icon

                                                                  Icon Hash:07032d1f0527471b

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x636912
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x60909F0A [Tue May 4 01:10:34 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2368c00x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2380000x41e8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x23e0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2367880x1c.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x2349180x234a00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x2380000x41e80x4200False0.514441287879data5.44364934449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x23e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x2381400x468GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x2385b80x10a8data
                                                                  RT_ICON0x2396700x25a8data
                                                                  RT_GROUP_ICON0x23bc280x30data
                                                                  RT_VERSION0x23bc680x380data
                                                                  RT_MANIFEST0x23bff80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright Gilbert Adjin Frimpong
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameIMethodMessage.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyNameGilbert Adjin
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameShop Manager
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionShop Manager
                                                                  OriginalFilenameIMethodMessage.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  05/04/21-19:13:07.551654ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.586777ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                  05/04/21-19:13:07.590236ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.625531ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                                  05/04/21-19:13:07.628818ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.664673ICMP449ICMP Time-To-Live Exceeded in Transit130.117.49.165192.168.2.6
                                                                  05/04/21-19:13:07.665430ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.706276ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.18192.168.2.6
                                                                  05/04/21-19:13:07.706835ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.753450ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.53192.168.2.6
                                                                  05/04/21-19:13:07.754164ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.800340ICMP449ICMP Time-To-Live Exceeded in Transit130.117.15.66192.168.2.6
                                                                  05/04/21-19:13:07.800797ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.869203ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.79192.168.2.6
                                                                  05/04/21-19:13:07.869689ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.925619ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                                                  05/04/21-19:13:07.926043ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.981484ICMP408ICMP Echo Reply2.23.155.184192.168.2.6

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 19:14:51.980122089 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.110054970 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.110392094 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.364695072 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.367636919 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.497628927 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.500775099 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.632188082 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.688940048 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.813638926 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.951697111 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.951724052 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.951740980 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.952095985 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.962678909 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.092824936 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.151324987 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.413399935 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.543329954 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.546207905 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.676331997 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.677742004 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.817493916 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.819114923 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.949096918 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.949945927 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.084723949 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.086483002 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.216568947 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.218698025 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.220149994 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.220159054 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.220666885 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.348767996 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.349998951 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.350048065 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.350409985 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.352190018 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.404773951 CEST49749587192.168.2.666.70.204.222

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 19:12:55.261626959 CEST53550748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:55.308217049 CEST53545138.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:55.551229000 CEST6204453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:55.602710962 CEST53620448.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:56.129103899 CEST6379153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:56.178004980 CEST53637918.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:57.219885111 CEST6426753192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:57.268503904 CEST53642678.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:58.298722029 CEST4944853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:58.347269058 CEST53494488.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:59.664602041 CEST6034253192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:59.716080904 CEST53603428.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:00.875519037 CEST6134653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:00.924422979 CEST53613468.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:01.798768997 CEST5177453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:01.847732067 CEST53517748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:02.920011044 CEST5602353192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:02.977190018 CEST53560238.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:05.301472902 CEST5838453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:05.353072882 CEST53583848.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:06.209592104 CEST6026153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:06.261039972 CEST53602618.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:07.310122013 CEST5606153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:07.358989000 CEST53560618.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:07.479265928 CEST5833653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:07.547488928 CEST53583368.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:08.400338888 CEST5378153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:08.449090004 CEST53537818.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:09.320982933 CEST5406453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:09.378413916 CEST53540648.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:10.372736931 CEST5281153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:10.424382925 CEST53528118.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:11.464569092 CEST5529953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:11.516076088 CEST53552998.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:12.625581026 CEST6374553192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:12.674526930 CEST53637458.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:13.907864094 CEST5005553192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:13.956675053 CEST53500558.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:14.833376884 CEST6137453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:14.881973028 CEST53613748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:29.440428972 CEST5033953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:29.489309072 CEST53503398.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:33.206162930 CEST6330753192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:33.265320063 CEST53633078.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:50.792989016 CEST4969453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:50.841618061 CEST53496948.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:50.977421045 CEST5498253192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:51.106905937 CEST53549828.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:51.666131020 CEST5001053192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:51.879602909 CEST53500108.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:52.023197889 CEST6371853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:52.095563889 CEST53637188.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:52.414561033 CEST6211653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:52.474335909 CEST53621168.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:52.947563887 CEST6381653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:53.231540918 CEST53638168.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:53.776989937 CEST5501453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:53.834268093 CEST53550148.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:54.380311966 CEST6220853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:54.431982040 CEST53622088.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:55.107546091 CEST5757453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:55.165186882 CEST53575748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:56.469089031 CEST5181853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:56.532123089 CEST53518188.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:58.452529907 CEST5662853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:58.512274027 CEST53566288.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:59.010509968 CEST6077853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:59.059247017 CEST53607788.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:05.857558966 CEST5379953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:05.918920994 CEST53537998.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:37.559355021 CEST5468353192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:37.611212015 CEST53546838.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:38.171545029 CEST5932953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:38.251847029 CEST53593298.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:39.192359924 CEST6402153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:39.267153025 CEST53640218.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:51.694025040 CEST5612953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:51.767874002 CEST53561298.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:51.796029091 CEST5817753192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:51.866108894 CEST53581778.8.8.8192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 4, 2021 19:14:51.694025040 CEST192.168.2.68.8.8.80x9564Standard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)
                                                                  May 4, 2021 19:14:51.796029091 CEST192.168.2.68.8.8.80xaafeStandard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 4, 2021 19:14:51.767874002 CEST8.8.8.8192.168.2.60x9564No error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                  May 4, 2021 19:14:51.767874002 CEST8.8.8.8192.168.2.60x9564No error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)
                                                                  May 4, 2021 19:14:51.866108894 CEST8.8.8.8192.168.2.60xaafeNo error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                  May 4, 2021 19:14:51.866108894 CEST8.8.8.8192.168.2.60xaafeNo error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  May 4, 2021 19:14:52.364695072 CEST5874974966.70.204.222192.168.2.6220-server.wlcserver.com ESMTP Exim 4.94 #2 Tue, 04 May 2021 21:14:52 +0400
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 4, 2021 19:14:52.367636919 CEST49749587192.168.2.666.70.204.222EHLO 468325
                                                                  May 4, 2021 19:14:52.497628927 CEST5874974966.70.204.222192.168.2.6250-server.wlcserver.com Hello 468325 [84.17.52.3]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-X_PIPE_CONNECT
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 4, 2021 19:14:52.500775099 CEST49749587192.168.2.666.70.204.222STARTTLS
                                                                  May 4, 2021 19:14:52.632188082 CEST5874974966.70.204.222192.168.2.6220 TLS go ahead

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6472 Parent PID: 5936

                                                                  General

                                                                  Start time:19:13:01
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe'
                                                                  Imagebase:0x330000
                                                                  File size:2330624 bytes
                                                                  MD5 hash:3DAD3D4918E28DED77C3E2E93A42665F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6620 Parent PID: 6472

                                                                  General

                                                                  Start time:19:13:06
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Imagebase:0x330000
                                                                  File size:2330624 bytes
                                                                  MD5 hash:3DAD3D4918E28DED77C3E2E93A42665F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6636 Parent PID: 6472

                                                                  General

                                                                  Start time:19:13:07
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Imagebase:0xa90000
                                                                  File size:2330624 bytes
                                                                  MD5 hash:3DAD3D4918E28DED77C3E2E93A42665F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6472 Parent PID: 5936 pd9EeXdsQtNb3dQ.exeCOMMON

                                                                    Executed Functions

                                                                    Function 0533F968, Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: oKe&
                                                                    • API String ID: 0-4098441335
                                                                    • Opcode ID: 3a588e486d55b9784097965f45721c07f288e5c7a06d377a8a0e4940d232b0c4
                                                                    • Instruction ID: 4592eb17b91017384324a44e187f5e69a3fc5cc5604a7cdcb148ec3287dc607a
                                                                    • Opcode Fuzzy Hash: 3a588e486d55b9784097965f45721c07f288e5c7a06d377a8a0e4940d232b0c4
                                                                    • Instruction Fuzzy Hash: CCD15DB4D1520AEFCB04CF95C5868AEFBB6FF89300F54C55AD415AB224E7389942CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533E048, Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: z.'
                                                                    • API String ID: 0-744252221
                                                                    • Opcode ID: 160518a52db9914fb885993f71fb9a9281b093a6b71dc24a95e43274116e216c
                                                                    • Instruction ID: d4af4fcd108f5baa7c24b24b19688a425bfcde1d4b71603ef6f3ff7730ba025d
                                                                    • Opcode Fuzzy Hash: 160518a52db9914fb885993f71fb9a9281b093a6b71dc24a95e43274116e216c
                                                                    • Instruction Fuzzy Hash: EC615BB4E1520ACFDB08CFAAC5416AEFBF6FF88300F14D46AD419A7254D7348A428F95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EE3D8, Relevance: .4, Instructions: 395COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd5d666127c1fd9fee33a88b11abb1fe2ef7b32dd2e593a01b8e866e8e499437
                                                                    • Instruction ID: d0a2ae0b23659bf467ff218f099ea311c28ac1bcde6c17ec6e35b520de2cfe10
                                                                    • Opcode Fuzzy Hash: cd5d666127c1fd9fee33a88b11abb1fe2ef7b32dd2e593a01b8e866e8e499437
                                                                    • Instruction Fuzzy Hash: EBE19B71B012049FEB2ADB75C950BAEB7FBAF89704F14846DD1468B390DB35E902CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E2CB9, Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef500147f7ba6ba11b89769cb1b022916eebdd63aabc3b3a6ba8a844643a171d
                                                                    • Instruction ID: 3751b2b96939531df326a8c0b6e17809966be0ab49fd523781ebf43a503a6618
                                                                    • Opcode Fuzzy Hash: ef500147f7ba6ba11b89769cb1b022916eebdd63aabc3b3a6ba8a844643a171d
                                                                    • Instruction Fuzzy Hash: ED51F0B6D017588BEB19CF7BCD85389FBF7EFC9200F58C1B98449A6215EB3049428E11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059ED9A0, Relevance: .1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c5a735bc5dd8234da3828c85c487ca050e6d90ece2bf3c808ac74400dce597b
                                                                    • Instruction ID: 359f7b329e33d7a9b705d6c1237a80ff262cecda9035643320fba795ad3d79a5
                                                                    • Opcode Fuzzy Hash: 9c5a735bc5dd8234da3828c85c487ca050e6d90ece2bf3c808ac74400dce597b
                                                                    • Instruction Fuzzy Hash: 44315070D5E31ADBCB16CFB5D9456FEBBFAAB4A200F185829D406F3240D7308A41CB24
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E2D68, Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05fd28a4d43746764846f1aeb8e57c92269e37493c4f4f0ff030e1b5c3c34ffe
                                                                    • Instruction ID: 9fb4dda7a025239a2ed243311037aca64ae6f2ce896f2ac03d09e46ff79c591b
                                                                    • Opcode Fuzzy Hash: 05fd28a4d43746764846f1aeb8e57c92269e37493c4f4f0ff030e1b5c3c34ffe
                                                                    • Instruction Fuzzy Hash: 0E414DB5E156188BEB18CF6B8D4579EFBF7BFC8300F14C1BA950CA6214EB3019868E51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533EA68, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cde40fff63495d79ffc3bb7cb392a4fdd5ec54d9e4421c55abe9fd241516b93
                                                                    • Instruction ID: c5fda658dede2f62cb55e84134e11244d7ad9df9e0ea433842cdb486b7370a5c
                                                                    • Opcode Fuzzy Hash: 8cde40fff63495d79ffc3bb7cb392a4fdd5ec54d9e4421c55abe9fd241516b93
                                                                    • Instruction Fuzzy Hash: C33108B1E016188BEB18CFAAD9447DEBBF7BFC8310F14C06AE409AA254DB745945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E21C8, Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98ac5252375b945368d951cb4654ba5e91b9a98dfc8d733c568df381e9a50706
                                                                    • Instruction ID: a397e530d4713488d7647d80b54dbe215850c604aba3fa15ef8a54807ade2a79
                                                                    • Opcode Fuzzy Hash: 98ac5252375b945368d951cb4654ba5e91b9a98dfc8d733c568df381e9a50706
                                                                    • Instruction Fuzzy Hash: B121E975E056189BEB58CF6BDC4069EFBF7BFC8200F04C5BAC508A6224DB741A468F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA35C, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059EA59E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 404a87ab2e6ff617fdb391f9ce07f2764baf3766946e235fd432792f20ebc63e
                                                                    • Instruction ID: 681646d4163d3be0768b031c83fd09f0e21dc284a462f48b074e3007b923c2ed
                                                                    • Opcode Fuzzy Hash: 404a87ab2e6ff617fdb391f9ce07f2764baf3766946e235fd432792f20ebc63e
                                                                    • Instruction Fuzzy Hash: 28A19D71D00219DFDF11CFA8C988BEDBBB2BF49314F0485A9E809A7290DB749985CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA368, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059EA59E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: e4b691642932e6f5a523a53b2e04e8b9b626e7fed451087d6cc8bb177ce661d8
                                                                    • Instruction ID: cc03678517091d8d3706689f5de62ff2b2a8bacc0bf138bdb6d5af23cf1a0dfd
                                                                    • Opcode Fuzzy Hash: e4b691642932e6f5a523a53b2e04e8b9b626e7fed451087d6cc8bb177ce661d8
                                                                    • Instruction Fuzzy Hash: DC917D71D00219DFDF11CFA8C888BEEBBB6BF49314F0585A9E809A7250DB749985CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA0D8, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059EA170
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: b36061bc63489768fde00552a0c4be6d1de162b9b1e36b6924c93c12c77bbf83
                                                                    • Instruction ID: 8ef3009494541300770fa2a0d02ab0a4c039c333ac5e6c4d6ea99f36644f3ce7
                                                                    • Opcode Fuzzy Hash: b36061bc63489768fde00552a0c4be6d1de162b9b1e36b6924c93c12c77bbf83
                                                                    • Instruction Fuzzy Hash: DA2144719003099FCF10CFA9C984BDEBBF5FF48324F50842AE919A7251CB78A955CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA0E0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059EA170
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 1c0fc0d22e2070a7155703f7a8924fac2d2db3ac6edfeb443c7cf505ebfd472c
                                                                    • Instruction ID: 31379482fb04f88902139c49135670dd65c90891186f76357b3027f6cfe4b721
                                                                    • Opcode Fuzzy Hash: 1c0fc0d22e2070a7155703f7a8924fac2d2db3ac6edfeb443c7cf505ebfd472c
                                                                    • Instruction Fuzzy Hash: A52124719003499FCB10CFA9C984BDEBBF5FF48314F50842AE919A7250CB78A955CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA1C8, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059EA250
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 8c7f20c43de31e4ed83cceb21d9551293446b98df81f5de5c6a315346804c8fe
                                                                    • Instruction ID: 365f897e66f35e6f2e1d8d0fd0364ecdf9a9235a44092b58fb85b000d9ea845b
                                                                    • Opcode Fuzzy Hash: 8c7f20c43de31e4ed83cceb21d9551293446b98df81f5de5c6a315346804c8fe
                                                                    • Instruction Fuzzy Hash: 3C2105B19003499FCB10CFA9C884BDEBBF5FF48324F50842AE919A7250CB35A945CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E9F40, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 059E9FC6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 4e8389783e6098b656c558d1d2ff4dabb9363b0ef252885a7ffbceeb04eaa94a
                                                                    • Instruction ID: 7b468449971da54b479e6f99633c19dbe5d326458576a16b35c587b50a8726c0
                                                                    • Opcode Fuzzy Hash: 4e8389783e6098b656c558d1d2ff4dabb9363b0ef252885a7ffbceeb04eaa94a
                                                                    • Instruction Fuzzy Hash: 94213A71D043098FCB10DFAAC4847EEBBF4EF88224F54C42AD919A7641CB78A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA1D0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059EA250
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: b1485c36341b662cd0a42c0ebf306b8f89ecd36b16d2637bc3b6afdd8242b138
                                                                    • Instruction ID: 98ef12b6548d332240ac7f78a366fd6f3859b974ffb20c908dfdde1cf7aa074f
                                                                    • Opcode Fuzzy Hash: b1485c36341b662cd0a42c0ebf306b8f89ecd36b16d2637bc3b6afdd8242b138
                                                                    • Instruction Fuzzy Hash: 3221E6B1D003499FCB10DFA9C884BDEBBF5FF48314F50842AE919A7250D775A954CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E9F48, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 059E9FC6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 7d8e2c05006d107d2d239fbd23104664a1667fa23220dfc3253f87587ef5e73c
                                                                    • Instruction ID: 8285107f47f8b1a1284e7a9e46b4c8b278e9db1fdea0ad905f85301c50f13839
                                                                    • Opcode Fuzzy Hash: 7d8e2c05006d107d2d239fbd23104664a1667fa23220dfc3253f87587ef5e73c
                                                                    • Instruction Fuzzy Hash: 36212971D043098FDB10DFA9C4847EEBBF4EF48314F54842AD919A7641DB78A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E5562, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 059E55DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 5e25c44011f903c3404c7275849033ddd69184590ee279fb7e3de9d33a98289a
                                                                    • Instruction ID: 060863e330fb9b96c92054b7518675fb8cea2d501b4319eeba937d5a5f3a8d54
                                                                    • Opcode Fuzzy Hash: 5e25c44011f903c3404c7275849033ddd69184590ee279fb7e3de9d33a98289a
                                                                    • Instruction Fuzzy Hash: 8B2117B19003099FCB10CF9AC984BDEFBF4FB48324F10842AE458A7250D778A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA018, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059EA08E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: ce0f7fcac261f5f373164592bbb9f48e26c20fcade6c263634532b5f91fc2d77
                                                                    • Instruction ID: 301d938c2c5210b9ff7aeec053cf83a8e20d8089cf4a9bbb4466b1f6694d019a
                                                                    • Opcode Fuzzy Hash: ce0f7fcac261f5f373164592bbb9f48e26c20fcade6c263634532b5f91fc2d77
                                                                    • Instruction Fuzzy Hash: A51144759002089FCB11CFAAC844BDEBBF5EF88324F14881AE515A7250CB35A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E5568, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 059E55DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: d281ee51dc33d359d3d41299dd8bc2256f2070c0d6ecf585cf4c850e14ca34aa
                                                                    • Instruction ID: b6c5dfd39f30fff7a8525bde5019f2f030b70814f9c873df52edd81178705325
                                                                    • Opcode Fuzzy Hash: d281ee51dc33d359d3d41299dd8bc2256f2070c0d6ecf585cf4c850e14ca34aa
                                                                    • Instruction Fuzzy Hash: CB21E7B59002099FCB10CF9AC984BDEFBF4FB48324F10842AE558A7250D774A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059EA020, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059EA08E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 1ee88dc8e561bb590342c8ae0ff44359babf9eb6a8344d904a58432b587acd3a
                                                                    • Instruction ID: c2ae70688b18c27a5609cddfbc96432bc9fbd5f901fc28837669e626a4508138
                                                                    • Opcode Fuzzy Hash: 1ee88dc8e561bb590342c8ae0ff44359babf9eb6a8344d904a58432b587acd3a
                                                                    • Instruction Fuzzy Hash: AC1137719002489FCF11DFA9C844BDFBBF5EF88324F14881AE515A7250CB75A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E9E90, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: ec0d8d579f76fe78e27a77634fec0667773d01b6913bbd39e0a3f03bb56c407a
                                                                    • Instruction ID: ce57702aa92d1282b7a25e84541a9e2fbfb5e8b4f65a39b2860f96fb251e2d9b
                                                                    • Opcode Fuzzy Hash: ec0d8d579f76fe78e27a77634fec0667773d01b6913bbd39e0a3f03bb56c407a
                                                                    • Instruction Fuzzy Hash: E81158B1D043488FCB10DFAAC8847DEBBF9EF88224F14881AD519A7650CB35A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E5A5C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,059EEC21,?,?), ref: 059EEDC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: 6273ffe7e7fa037a104350a8653718ce35b9926d7d1a12913af7ad47167243d0
                                                                    • Instruction ID: 7f6a07e1e5c92671b35b99def0e46666191f8f3439b79a6c4ef240fb1b85f291
                                                                    • Opcode Fuzzy Hash: 6273ffe7e7fa037a104350a8653718ce35b9926d7d1a12913af7ad47167243d0
                                                                    • Instruction Fuzzy Hash: E61136B58007498FDB10DF99C544BEEBBF8EB48324F10846AE919A7740D738A985CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E9E98, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: a7f19c1d9a0c8c879979e725b28ded2f0590519f33dd643e4715fdc178e28a6f
                                                                    • Instruction ID: e927faba17bbcd79697f88448ca3fe5c3b42de46f5e93570a791a3bccf4f3bc7
                                                                    • Opcode Fuzzy Hash: a7f19c1d9a0c8c879979e725b28ded2f0590519f33dd643e4715fdc178e28a6f
                                                                    • Instruction Fuzzy Hash: 2F1136B1D043488FCB10DFAAC8447DEFBF9EF88224F14882AD519A7650CB75A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E57E8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 059ED3DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 10a4ec56d0bee9e32806fd79b28c6006d7b4a167faf101003f5c1e5025551ac9
                                                                    • Instruction ID: 5f92c580aa4c9fd747c9d642cfe6ac53639aeff481ad0341cfe0b4cf30e3cd42
                                                                    • Opcode Fuzzy Hash: 10a4ec56d0bee9e32806fd79b28c6006d7b4a167faf101003f5c1e5025551ac9
                                                                    • Instruction Fuzzy Hash: 4711F2B59003499FDB10DF99C884BDEBBF8FB48324F10845AE955A7210C374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533E2B0, Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d86480957f931dc7c9b6a85114f3b9c8aa41d43a672143c8303f1236b2cd2ac9
                                                                    • Instruction ID: c5a7001189c641c57d6617dfe663a25075e6ee80f7156a165336a538d46a70b6
                                                                    • Opcode Fuzzy Hash: d86480957f931dc7c9b6a85114f3b9c8aa41d43a672143c8303f1236b2cd2ac9
                                                                    • Instruction Fuzzy Hash: 953114B4E04209DFCB48CFAAC581AAEFBF6BB88300F50956AD819E7354D7349A418F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533E3E8, Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a4cf4e9cb5b97be855760ebdd1fcac6140f5d663910850925ca0ef72d1d8cea
                                                                    • Instruction ID: c3ae7b4cc7abbf00c4c792ae1bef6bad0e31fb3af60740d59c7de1eb918398c9
                                                                    • Opcode Fuzzy Hash: 4a4cf4e9cb5b97be855760ebdd1fcac6140f5d663910850925ca0ef72d1d8cea
                                                                    • Instruction Fuzzy Hash: D321E2B4E042099FCB48CFA9D5829AEFBF6BF88300F10C5A5D408A7314E730AA518F91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 059E7310, Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4@/S$!L6
                                                                    • API String ID: 0-3774428056
                                                                    • Opcode ID: 14b7a74c253f7ac2049a13d2ae469f8fa6283b7992076284e77cac74f4579392
                                                                    • Instruction ID: 62cc086ff5e889c17a7b0b1bab0e5b745fd3aef40c574ea4b97478a7ee5ba47e
                                                                    • Opcode Fuzzy Hash: 14b7a74c253f7ac2049a13d2ae469f8fa6283b7992076284e77cac74f4579392
                                                                    • Instruction Fuzzy Hash: 87B13974E05249CBCB04CFE9D5419EEFBF2FB88310F14956AD408AB358E7349D428B61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E7320, Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: !L6
                                                                    • API String ID: 0-2175186993
                                                                    • Opcode ID: 088907aae6fca0c0083fa5ab080a7cfc0fba1659340aa21d1d8457b403d8cf54
                                                                    • Instruction ID: f6f049149c6b6028131001ac9ec1b7130eda79bed4cb34d872c32556c7dc8338
                                                                    • Opcode Fuzzy Hash: 088907aae6fca0c0083fa5ab080a7cfc0fba1659340aa21d1d8457b403d8cf54
                                                                    • Instruction Fuzzy Hash: 0CB125B4E05259CBCB04CFE9D5419EEFBF2FF88310F24956AD405AB218E7349D428B65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E1D38, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Y
                                                                    • API String ID: 0-3233089245
                                                                    • Opcode ID: 1d542cb980e8b142ff97a2f1a89d0e7cb0262c16c0c4ca0f5c348afcc96f18a0
                                                                    • Instruction ID: d46a020b88f01b11a1ed97566bb2f2085487d01f90d5d656dfaeb982e8e6be95
                                                                    • Opcode Fuzzy Hash: 1d542cb980e8b142ff97a2f1a89d0e7cb0262c16c0c4ca0f5c348afcc96f18a0
                                                                    • Instruction Fuzzy Hash: 9071F474E056099FCB08CFA9C5819EEFBF2FF89210F24986AD415BB314D7749A41CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E1D28, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Y
                                                                    • API String ID: 0-3233089245
                                                                    • Opcode ID: aa6bdf0f4226d215a4ef5e2b19606c0c5b1bfbf7b1caad6043d806cb321b9de8
                                                                    • Instruction ID: 87b6a55f3cd4bf051f296a4dddea4f6e14fcf0a6d9b19ba14d48a5991a94587e
                                                                    • Opcode Fuzzy Hash: aa6bdf0f4226d215a4ef5e2b19606c0c5b1bfbf7b1caad6043d806cb321b9de8
                                                                    • Instruction Fuzzy Hash: 6571E474E056099FCB04CFA9C5819EEFBF2FF89210F24986AD405BB364D7749A81CB64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E7808, Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k/$
                                                                    • API String ID: 0-3172350600
                                                                    • Opcode ID: 807043e951c8c4bfa9b99b89fe954266f77bd68f4a653fbf30baf593e919fe63
                                                                    • Instruction ID: c1a707720f280d51e70fb55ccb3d498fa70ca7937696e658f926577899d1f079
                                                                    • Opcode Fuzzy Hash: 807043e951c8c4bfa9b99b89fe954266f77bd68f4a653fbf30baf593e919fe63
                                                                    • Instruction Fuzzy Hash: 34614A74E0524A8BCB05CFEAD581AEEFBB2EF88310F14D42AD515B7254D738AA41CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E77F9, Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k/$
                                                                    • API String ID: 0-3172350600
                                                                    • Opcode ID: 3ccff86e590eb68b1f77fa51d5ca96ab99578d867e90cf1cbb44bff36c333b39
                                                                    • Instruction ID: 2e30673673ad725f2945bad435839f5f0ade56998096fccadec03bd3f3f276f6
                                                                    • Opcode Fuzzy Hash: 3ccff86e590eb68b1f77fa51d5ca96ab99578d867e90cf1cbb44bff36c333b39
                                                                    • Instruction Fuzzy Hash: 6D613874E0524A9BCB05CFEAD481AEEFBB2EB88310F14D42AD515B7254D738AA41CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533E520, Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: I'D;
                                                                    • API String ID: 0-3745840107
                                                                    • Opcode ID: bc2f37f34161de0a71a34b205e58c7ab5d13db1b02fc718f68bf1a247206905a
                                                                    • Instruction ID: e3d6f10589b89dfee1ab5362f7d59431cf2c7b9c4e8f7ecaf21a7fc71c60890b
                                                                    • Opcode Fuzzy Hash: bc2f37f34161de0a71a34b205e58c7ab5d13db1b02fc718f68bf1a247206905a
                                                                    • Instruction Fuzzy Hash: 6A6136B4E15609DFDB44CF99D4819EEFBB6FB88310F14942AE405AB315D734A942CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E1B20, Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )<H)
                                                                    • API String ID: 0-2870836797
                                                                    • Opcode ID: 4b951dcd6b04b77ee619f952e2c5943d5162882c9a2c2770bfa4b0c3bc2c1e63
                                                                    • Instruction ID: a0b6bc7bf1f1af31e79c1be3db5814274221af29de6b55fcc2162e72de96ae02
                                                                    • Opcode Fuzzy Hash: 4b951dcd6b04b77ee619f952e2c5943d5162882c9a2c2770bfa4b0c3bc2c1e63
                                                                    • Instruction Fuzzy Hash: EE41C8B5E0560A9FCB44CFAAD5816EEFBF2BB98300F24C52AC415A7254E7349641CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E1B30, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )<H)
                                                                    • API String ID: 0-2870836797
                                                                    • Opcode ID: 34a0d7153a264c17b3404333cd75ad54529d582c1c72906b7a1956c86de70458
                                                                    • Instruction ID: 60d543bd8302328ee4b166508fa12ba48ea544318f6d6d11e4c0d9400e0b2bd4
                                                                    • Opcode Fuzzy Hash: 34a0d7153a264c17b3404333cd75ad54529d582c1c72906b7a1956c86de70458
                                                                    • Instruction Fuzzy Hash: D341C6B4E0460A9BCB48CFAAC5815EEFBF6BF88300F24C56AC515B7254E7349A41DF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 053331F8, Relevance: .7, Instructions: 722COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04c637d456d7a70c61235a9b201ebfeabcd4b66303d4f5c8a96cef3237a6fd45
                                                                    • Instruction ID: 1cd1bed3448c1aa0ed55b0e2f64c2143704433fd96098a4e431f39a16cab4ad1
                                                                    • Opcode Fuzzy Hash: 04c637d456d7a70c61235a9b201ebfeabcd4b66303d4f5c8a96cef3237a6fd45
                                                                    • Instruction Fuzzy Hash: A3529C34B041159FCB18DF69D485AAEBBB2FF88714B15C969E806EB360DB71EC41CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05338DC0, Relevance: .4, Instructions: 386COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4404bf7b3b6b8a6d4817da8f16210bfbe915874f9b9f613da0a12c1099b04045
                                                                    • Instruction ID: b1d2e4bd048742beec907784e22f89efaca11a9da32bad8938c32ff27afcc61d
                                                                    • Opcode Fuzzy Hash: 4404bf7b3b6b8a6d4817da8f16210bfbe915874f9b9f613da0a12c1099b04045
                                                                    • Instruction Fuzzy Hash: ECF1E075A00209DFCB15CFA8C885AAEBBF6FF49300F0585AAE805EB351D775E855CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E93F0, Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbb461a6130091ea5ddefed4207ec1196d3e756a53c3caa33a6bb541dcfa6ad7
                                                                    • Instruction ID: fd55b1aafa06684c7e09d47a512159b73bd268ffa251b3ea479a6e99e6f28ef6
                                                                    • Opcode Fuzzy Hash: dbb461a6130091ea5ddefed4207ec1196d3e756a53c3caa33a6bb541dcfa6ad7
                                                                    • Instruction Fuzzy Hash: CFC11874E04259DFCB14DFA9C980AADFBB2FF89304F2485AAD418A7315D7319A41CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533D7E0, Relevance: .2, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bd025a516981625e0a6f216eb25946657006693b3a7b2e2c64b40569d7dd9cf
                                                                    • Instruction ID: 44431b2a447934d50ad4418154679f16519c097990f081eb4f87441acec7951b
                                                                    • Opcode Fuzzy Hash: 4bd025a516981625e0a6f216eb25946657006693b3a7b2e2c64b40569d7dd9cf
                                                                    • Instruction Fuzzy Hash: CB81C474E01209CFDB08CFEAD9856AEBBB6FF88300F14842AD519AB364D7349945CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E0908, Relevance: .2, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39748cef28008f05418f274e0e9a486a4f9ebf08da3d9b7901b48c80dd255fb5
                                                                    • Instruction ID: 4118ec173e16b5445d1682c26be56000b3418dba1edff319b336a6c02675b155
                                                                    • Opcode Fuzzy Hash: 39748cef28008f05418f274e0e9a486a4f9ebf08da3d9b7901b48c80dd255fb5
                                                                    • Instruction Fuzzy Hash: 3E81DF74E1520ACFCB44CFA9D5889AEFBF2FF88310F149559D419AB220D770AA42CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E0906, Relevance: .2, Instructions: 177COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9c637c8503495e2cb11f03111a9c89c5838b7aecad5b341569266b9e4c8b845
                                                                    • Instruction ID: 71fd54bd953a5515108afcfafe6d6f1cfc3f55b0a5a871ef08769a1097b5af2c
                                                                    • Opcode Fuzzy Hash: e9c637c8503495e2cb11f03111a9c89c5838b7aecad5b341569266b9e4c8b845
                                                                    • Instruction Fuzzy Hash: 1B71CF74E1521ACFCB44CFA9D5899AEFBF2FF88314F148569D419AB220D770AA42CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 053329B0, Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52c28084f4e313ea358baa37ef27acc0b7f617841e1365d8b1d3901d80a5ac75
                                                                    • Instruction ID: 77d98d00f0f7ad82bfbf4b416e33b1d68d73c706e552582782f05bdd9fa5b383
                                                                    • Opcode Fuzzy Hash: 52c28084f4e313ea358baa37ef27acc0b7f617841e1365d8b1d3901d80a5ac75
                                                                    • Instruction Fuzzy Hash: DC71C075E002189FDB14DFA9D985AAEBBF2FF88304F14802AE909AB364DB355941CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 053329A0, Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a7025dae1266061e20d64eec3dce0c8a9e3b456107b07c99ac7dd1b3d03d29c
                                                                    • Instruction ID: 320b84d492329d64e6b4d4572d05b6aafb7754afb48ad181af1630a965bfa5a8
                                                                    • Opcode Fuzzy Hash: 3a7025dae1266061e20d64eec3dce0c8a9e3b456107b07c99ac7dd1b3d03d29c
                                                                    • Instruction Fuzzy Hash: ED61C075E002189FDB14DFE9D945AAEBBF2FF88300F24802AE909AB364DB755941CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E63CD, Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30ff3a0e30938947ecf35333cf8ae58f6b971a136469df1edc9c6755de640df0
                                                                    • Instruction ID: 43304bb3301dd9f6e1fa72a9586643b7bcb151fab45277dc651a29ec77fff817
                                                                    • Opcode Fuzzy Hash: 30ff3a0e30938947ecf35333cf8ae58f6b971a136469df1edc9c6755de640df0
                                                                    • Instruction Fuzzy Hash: B8419D71E152199BDB19CFAAE981B9EBBF7EF89200F18C06AD509EB345DB305901CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05330A73, Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6ed1ac692758f889aba2ba94558950e5d90b174863a0c29a1cba645bd066952e
                                                                    • Instruction ID: 362d78cd526612f290a5ba22e09e064dfcad0aca82c995ec4dc49873d5b860c0
                                                                    • Opcode Fuzzy Hash: 6ed1ac692758f889aba2ba94558950e5d90b174863a0c29a1cba645bd066952e
                                                                    • Instruction Fuzzy Hash: B821CF313042148BCB285739999AE3F76ABEF84B5CB144039E906CBB95EF69C842D791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E69F5, Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4646d86e3b08202e3317f1c32c79ef16fc403675e05070a4ee686a8820e1ce4e
                                                                    • Instruction ID: db1f8cb2b22c45ae70d4bbc774c3913743331bd4b6c564707d011d015488c7e8
                                                                    • Opcode Fuzzy Hash: 4646d86e3b08202e3317f1c32c79ef16fc403675e05070a4ee686a8820e1ce4e
                                                                    • Instruction Fuzzy Hash: 8C216A71E153189BDB09CFAAEC416DEFBF7EBC9210F14C06AD408A7311DB305A028B61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533CC40, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338396823.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1784d4e900de1b51a185b2efc562ea3a7427525710ab1be778c76ca82fbd8d5
                                                                    • Instruction ID: 9063fdea19ecbd45fd79a2e5868f671a2fc28b630cbbac4a30345ae63ceb8d89
                                                                    • Opcode Fuzzy Hash: e1784d4e900de1b51a185b2efc562ea3a7427525710ab1be778c76ca82fbd8d5
                                                                    • Instruction Fuzzy Hash: 3321DB71E056189BEB18CFABD94169EFBF7EFC8300F14C0BAD509A6254EB305A418F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E7AE8, Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 173f69d5a88bfaab7a925f7ab969f31a39f54c28f3afa072ff10816bcd0bed19
                                                                    • Instruction ID: 046d1191465b9ba65640c0da9ce7974c6f4140a4377972e9958111ba6c351a3c
                                                                    • Opcode Fuzzy Hash: 173f69d5a88bfaab7a925f7ab969f31a39f54c28f3afa072ff10816bcd0bed19
                                                                    • Instruction Fuzzy Hash: 33116D71E152188BEB08CFAADA416EEFBB7EBC8210F14C07AD408A7255DB344A028B51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059E21BA, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.338501248.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 516db91036df0865eaae36c102329cc4ef0f8d17ec993bff4af444a611c65da1
                                                                    • Instruction ID: 1a2f70234635b5e4edcab2a83399622538876aa82fe949f6d546eb9a5f731429
                                                                    • Opcode Fuzzy Hash: 516db91036df0865eaae36c102329cc4ef0f8d17ec993bff4af444a611c65da1
                                                                    • Instruction Fuzzy Hash: EA110AB5E116089BEB0CCFABDD0179EFAF7BFC8200F18C17AC408A6218DB7406428E51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6636 Parent PID: 6472 pd9EeXdsQtNb3dQ.exeCOMMON

                                                                    Executed Functions

                                                                    Function 01413A78, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584752597.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4d0606f91215225743ee6c9300ebf6070ee165f93446f4ec47eb2df74e47a28e
                                                                    • Instruction ID: b6a94a246d9269dfa2827c828ba16f01a301f6a5c0f2a64e1f2959a819b38413
                                                                    • Opcode Fuzzy Hash: 4d0606f91215225743ee6c9300ebf6070ee165f93446f4ec47eb2df74e47a28e
                                                                    • Instruction Fuzzy Hash: F3622934E006198FCB24EF78C85469DB7B1AF89304F1485AED54AAB764EF309E85CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0135B998, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584523358.0000000001350000.00000040.00000001.sdmp, Offset: 01350000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1866793b52a3ae67ae0bda7a535a53fff0089193ee7f29b148e3b84a6e90f721
                                                                    • Instruction ID: 817f05b780e7a9f180a8e67bc56b911a2936ab1549367d031dd44ac8f6b89607
                                                                    • Opcode Fuzzy Hash: 1866793b52a3ae67ae0bda7a535a53fff0089193ee7f29b148e3b84a6e90f721
                                                                    • Instruction Fuzzy Hash: 7FF13D34A00209CFDB54DFA9C884BADFBF2BF88708F158559D909AF269DB70E945CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013CC538, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584693067.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d17767717e02e1494f5746cd6a53c0ace0ca8576e20c354d7e974ca528a1ff45
                                                                    • Instruction ID: 1de9c3d85ada494deece6716b4d1b7d3dad2a53e15c1e6cfe9b56dff6856d8a6
                                                                    • Opcode Fuzzy Hash: d17767717e02e1494f5746cd6a53c0ace0ca8576e20c354d7e974ca528a1ff45
                                                                    • Instruction Fuzzy Hash: 3251B171A102059FCB14EFB4D844AAEB7B6BF88215F14896DE506DB355DF30EC15CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01411EE8, Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584752597.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c627a6c8fb69af4a54e933dda69abc405280774ced4636003d6be6fdbc024d50
                                                                    • Instruction ID: 81d1705cd80a9c41138758072f22ad473bd675ba244653f7a983bb734b1702d5
                                                                    • Opcode Fuzzy Hash: c627a6c8fb69af4a54e933dda69abc405280774ced4636003d6be6fdbc024d50
                                                                    • Instruction Fuzzy Hash: 72C19D30A00205CFCB15DB74C854AAEBBB2BF85314F2485AAD506EB3A5DB75DD86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013CC358, Relevance: 1.8, APIs: 1, Instructions: 306libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584693067.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9a98f410f48bc4ac3b11f19dfdc9fc7cbd3535f155348381f6dbf615bf2bf3cb
                                                                    • Instruction ID: 127c88a71875af7e94c5dce106d6f1e791053e7fc04d7b6ed8dc2f353ce1106f
                                                                    • Opcode Fuzzy Hash: 9a98f410f48bc4ac3b11f19dfdc9fc7cbd3535f155348381f6dbf615bf2bf3cb
                                                                    • Instruction Fuzzy Hash: 83B1C770B043458FC7019B78D854AAA7BF5AF85304F15C5BAD509DF292EB38DC0ACB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 014122C0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584752597.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: cc5c1f919534c8be174a81b5db7f0b0083402674670c5333ba057c33402fa718
                                                                    • Instruction ID: d0258f841b9edfd65f0d00b110214f1f91ac950e0be60c0d870ad5f327eb2c8f
                                                                    • Opcode Fuzzy Hash: cc5c1f919534c8be174a81b5db7f0b0083402674670c5333ba057c33402fa718
                                                                    • Instruction Fuzzy Hash: E0614F34A102159BDB14DFB4D458BAEBBB2BF88305F208829E506E7368DB759945CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01357D39, Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,01357D19,00000800), ref: 01357DAA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584523358.0000000001350000.00000040.00000001.sdmp, Offset: 01350000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 78f44b524c4b5f7dd8c5dd8aec343632244e67106ceaa08820582a4818e8dbe1
                                                                    • Instruction ID: 19158434b6c975afa3a2a20f02ad481e46710e7d68640ce4947fe38275e43824
                                                                    • Opcode Fuzzy Hash: 78f44b524c4b5f7dd8c5dd8aec343632244e67106ceaa08820582a4818e8dbe1
                                                                    • Instruction Fuzzy Hash: 1A2145B2D043489FCB10CFA9D444AEEFBF4EF89714F04842AD919A7201C375A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01356AC4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,01357D19,00000800), ref: 01357DAA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584523358.0000000001350000.00000040.00000001.sdmp, Offset: 01350000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: fb553eeb220a1fd92f0ecaf5708ee3919941eda6e84199e4e4b3a9180473edbb
                                                                    • Instruction ID: ed2dc80f6865d73a013a777eeebdf2b522ac86804d3285e3e99bae899f640959
                                                                    • Opcode Fuzzy Hash: fb553eeb220a1fd92f0ecaf5708ee3919941eda6e84199e4e4b3a9180473edbb
                                                                    • Instruction Fuzzy Hash: AA1126B6D002089FDB10CF9AC444BEEFBF4EB88724F44842AE919B7600C775A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0135A8C0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 0135B7D5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584523358.0000000001350000.00000040.00000001.sdmp, Offset: 01350000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: 7e166defa1134003564b59056cd1a70a0a09956b8a71298e772d92ee50eda74c
                                                                    • Instruction ID: ea2018afb5c9444bf6c0e6fb3a7c1e47587dad5683bd9f9eed815354012d880c
                                                                    • Opcode Fuzzy Hash: 7e166defa1134003564b59056cd1a70a0a09956b8a71298e772d92ee50eda74c
                                                                    • Instruction Fuzzy Hash: E91142B09002488FDB10DF9AC488BDEFBF8EF48328F148459E918A7700C374A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0135B778, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 0135B7D5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584523358.0000000001350000.00000040.00000001.sdmp, Offset: 01350000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: aa62b3cd2877ed05dca0695e09545191128ae413aa0e0c129cc1a03d3540b7ea
                                                                    • Instruction ID: c44087d86e9811f13200794537a7f93ab173c99284f9e8f39571f02365ba4918
                                                                    • Opcode Fuzzy Hash: aa62b3cd2877ed05dca0695e09545191128ae413aa0e0c129cc1a03d3540b7ea
                                                                    • Instruction Fuzzy Hash: 221145B19002488FCB10CF99C484BDEFBF4EF48324F14845AD518A7610C375AA44CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0143D450, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584901026.000000000143D000.00000040.00000001.sdmp, Offset: 0143D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ef568c9a6340c5ffbc32345da318b2013b6faf3e77990e4a4a8084415ca8e1f
                                                                    • Instruction ID: 4f6e5bd13c27d3f7f01751c65625260a729bbde04915571566c762ffdb9abbbf
                                                                    • Opcode Fuzzy Hash: 2ef568c9a6340c5ffbc32345da318b2013b6faf3e77990e4a4a8084415ca8e1f
                                                                    • Instruction Fuzzy Hash: 4C213371904200EFDB01DF94D9C0B67BB65FBDC324F60C56AE8050B266C336E856CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0144D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584941972.000000000144D000.00000040.00000001.sdmp, Offset: 0144D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e29b4a97cf6db2365e25445b54d0f98e05fe336aba7413f1704f015745edaf7
                                                                    • Instruction ID: 04630e52dc165b2ef7b97790162373314dea94fe76a568b97d57a322d5f12d52
                                                                    • Opcode Fuzzy Hash: 8e29b4a97cf6db2365e25445b54d0f98e05fe336aba7413f1704f015745edaf7
                                                                    • Instruction Fuzzy Hash: 982125B1904200DFEB15DF94D8C4B16BBA5FB94358F20C96AD8094B356C73AD847CA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0144D006, Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584941972.000000000144D000.00000040.00000001.sdmp, Offset: 0144D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e7b82c62936672547756cd36626eb6f2969b4f4339f2c09cb9a8104cf56a0e50
                                                                    • Instruction ID: 5ebeeecd9ac11cd83e513cd748b9d8a082faade9f17e26d4f1678081e8434a31
                                                                    • Opcode Fuzzy Hash: e7b82c62936672547756cd36626eb6f2969b4f4339f2c09cb9a8104cf56a0e50
                                                                    • Instruction Fuzzy Hash: DA21B0754093808FDB02CF64C594702BF71EB46214F28C1DBC8498B267C33A980ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0143D44B, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.584901026.000000000143D000.00000040.00000001.sdmp, Offset: 0143D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90825e81fda1175a189452765487cd28cd30970da8754c189eaf9e16a5c9c767
                                                                    • Instruction ID: 5887e23c4c72381933d76b8750e0c88d9741ed4152c8ea9da0ec453f66fc2046
                                                                    • Opcode Fuzzy Hash: 90825e81fda1175a189452765487cd28cd30970da8754c189eaf9e16a5c9c767
                                                                    • Instruction Fuzzy Hash: 3611AF76804280CFDB16CF54D5C4B16BF71FB88324F2486AAD8050B666C336D45ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions