Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report pd9EeXdsQtNb3dQ.exe

Overview

General Information

Sample Name:pd9EeXdsQtNb3dQ.exe
Analysis ID:404170
MD5:3dad3d4918e28ded77c3e2e93a42665f
SHA1:8b16dba4992b75a303f63a09d8a41ac99f28ce5c
SHA256:1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • pd9EeXdsQtNb3dQ.exe (PID: 6472 cmdline: 'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe' MD5: 3DAD3D4918E28DED77C3E2E93A42665F)
    • pd9EeXdsQtNb3dQ.exe (PID: 6620 cmdline: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe MD5: 3DAD3D4918E28DED77C3E2E93A42665F)
    • pd9EeXdsQtNb3dQ.exe (PID: 6636 cmdline: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe MD5: 3DAD3D4918E28DED77C3E2E93A42665F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "office5@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office5@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: pd9EeXdsQtNb3dQ.exeVirustotal: Detection: 14%Perma Link
                  Source: pd9EeXdsQtNb3dQ.exeReversingLabs: Detection: 51%
                  Source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: global trafficTCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587
                  Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.6:49749 -> 66.70.204.222:587
                  Source: unknownDNS traffic detected: queries for: mail.iykmoreentrprise.org
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: http://DXvqav.com
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://iykmoreentrprise.org
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpString found in binary or memory: http://mail.iykmoreentrprise.org
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: pd9EeXdsQtNb3dQ.exeString found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd
                  Source: pd9EeXdsQtNb3dQ.exeString found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588834930.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://NtZtA8FE2WmoFQd.com
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533F968
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533E048
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533EA68
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533E520
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05338DC0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533CC40
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533D7E0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053329B0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053329A0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053331F8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E21C8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E2D68
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059EE3D8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E21BA
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E69F5
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E0908
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E0906
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1D38
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1D28
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E2CB9
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7808
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E63CD
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E77F9
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E93F0
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7310
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1B30
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7320
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E1B20
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7AE8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0135B998
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0135972D
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01355700
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01356960
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C2020
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CAB70
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C2F6D
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C2618
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CB668
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CF117
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CDBF8
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01418388
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01413A78
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01416288
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01419460
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141E650
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141613A
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141E260
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_01415620
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000000.317330341.0000000000568000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000002.00000002.327814127.0000000000568000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328988968.0000000000CC8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.584799956.0000000001420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585395067.00000000014F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamekwwXmjSlWzClvYrsuIIfArLMqOg.exe4 vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.583993167.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: OriginalFilenameIMethodMessage.exe: vs pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pd9EeXdsQtNb3dQ.exe.logJump to behavior
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [creditors] SET [OrderID] = @OrderID, [SupplierID] = @SupplierID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([OrderID] = @Original_OrderID) AND ([SupplierID] = @Original_SupplierID) AND ([EmployeeID] = @Original_EmployeeID) AND ([AmountDue] = @Original_AmountDue) AND ([CompletePayments] = @Original_CompletePayments));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [ExpenseType] SET [TypeName] = @TypeName, [Description] = @Description, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([TypeName] = @Original_TypeName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus); SELECT GroupID
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText); SELECT menuID, menuName, menuText FROM tblMenu
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [products] ([ProductCode], [ProductName], [CategoryID], [UnitPrice], [UnitsInStock], [ReorderLevel], [Discontinued], [Description], [LocationID], [Discount], [WHUnitPrice], [AvgCost]) VALUES (@ProductCode, @ProductName, @CategoryID, @UnitPrice, @UnitsInStock, @ReorderLevel, @Discontinued, @Description, @LocationID, @Discount, @WHUnitPrice, @AvgCost);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [ExpiryDates] SET [ProductID] = @ProductID, [Quantity] = @Quantity, [ExpiryDate] = @ExpiryDate, [OrderDetailsID] = @OrderDetailsID WHERE (([ExpiryDateID] = @Original_ExpiryDateID) AND ([ProductID] = @Original_ProductID) AND ([Quantity] = @Original_Quantity) AND ([ExpiryDate] = @Original_ExpiryDate) AND ([OrderDetailsID] = @Original_OrderDetailsID));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID); SELEC
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [sales] ([CustomerID], [EmployeeID], [SalesDate], [SalesTime], [PaymentType], [TotalAmount], [PriceOffset], [SaleType]) VALUES (@CustomerID, @EmployeeID, @SalesDate, @SalesTime, @PaymentType, @TotalAmount, @PriceOffset, @SaleType);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Employees] ([LastName], [FirstName], [Sex], [JobID], [BirthDate], [HireDate], [Address], [PhoneNo], [Country], [EmailAddress], [Picture]) VALUES (@LastName, @FirstName, @Sex, @JobID, @BirthDate, @HireDate, @Address, @PhoneNo, @Country, @EmailAddress, @Picture);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [usergroups] SET [GroupName] = @GroupName, [Description] = @Description, [GroupMenus] = @GroupMenus WHERE (([GroupID] = @Original_GroupID) AND ([GroupName] = @Original_GroupName) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [products] SET [ProductCode] = @ProductCode, [ProductName] = @ProductName, [CategoryID] = @CategoryID, [UnitPrice] = @UnitPrice, [UnitsInStock] = @UnitsInStock, [ReorderLevel] = @ReorderLevel, [Discontinued] = @Discontinued, [Description] = @Description, [LocationID] = @LocationID, [Discount] = @Discount, [WHUnitPrice] = @WHUnitPrice, [AvgCost] = @AvgCost WHERE (([ProductID] = @Original_ProductID) AND ((@IsNull_ProductCode = 1 AND [ProductCode] IS NULL) OR ([ProductCode] = @Original_ProductCode)) AND ([ProductName] = @Original_ProductName) AND ([CategoryID] = @Original_CategoryID) AND ([UnitPrice] = @Original_UnitPrice) AND ([UnitsInStock] = @Original_UnitsInStock) AND ((@IsNull_ReorderLevel = 1 AND [ReorderLevel] IS NULL) OR ([ReorderLevel] = @Original_ReorderLevel)) AND ((@IsNull_Discontinued = 1 AND [Discontinued] IS NULL) OR ([Discontinued] = @Original_Discontinued)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_LocationID = 1 AND [LocationID] IS NULL) OR ([LocationID] = @Original_LocationID)) AND ([Discount] = @Original_Discount) AND ((@IsNull_WHUnitPrice = 1 AND [WHUnitPrice] IS NULL) OR ([WHUnitPrice] = @Original_WHUnitPrice)) AND ((@IsNull_AvgCost = 1 AND [AvgCost] IS NULL) OR ([AvgCost] = @Original_AvgCost)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[orderdetails] SET [OrderID] = @OrderID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount, [ExpiryDate] = @ExpiryDate WHERE (([OrderID] = @Original_OrderID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ([Discount] = @Original_Discount) AND ((@IsNull_ExpiryDate = 1 AND [ExpiryDate] IS NULL) OR ([ExpiryDate] = @Original_ExpiryDate)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[userstbl] ([Userid], [Passwd], [EmployeeID], [GroupID]) VALUES (@Userid, @Passwd, @EmployeeID, @GroupID);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[categories] SET [CateryName] = @CateryName, [Description] = @Description, [Picture] = @Picture WHERE (([CategoryID] = @Original_CategoryID) AND ((@IsNull_CateryName = 1 AND [CateryName] IS NULL) OR ([CateryName] = @Original_CateryName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[customers] ([CompanyName], [ContactName], [ContactTitle], [Address], [Country], [PhoneNo], [EmailAddress]) VALUES (@CompanyName, @ContactName, @ContactTitle, @Address, @Country, @PhoneNo, @EmailAddress);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [Debtors] SET [SalesID] = @SalesID, [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [AmountDue] = @AmountDue, [CompletePayments] = @CompletePayments WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ((@IsNull_AmountDue = 1 AND [AmountDue] IS NULL) OR ([AmountDue] = @Original_AmountDue)) AND ((@IsNull_CompletePayments = 1 AND [CompletePayments] IS NULL) OR ([CompletePayments] = @Original_CompletePayments)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[Jobs] ([JobName], [Description]) VALUES (@JobName, @Description); SELECT JobID, JobName, Description FROM Jobs
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Employees] SET [LastName] = @LastName, [FirstName] = @FirstName, [Sex] = @Sex, [JobID] = @JobID, [BirthDate] = @BirthDate, [HireDate] = @HireDate, [Address] = @Address, [PhoneNo] = @PhoneNo, [Country] = @Country, [EmailAddress] = @EmailAddress, [Picture] = @Picture WHERE (([EmployeeID] = @Original_EmployeeID) AND ([LastName] = @Original_LastName) AND ([FirstName] = @Original_FirstName) AND ((@IsNull_Sex = 1 AND [Sex] IS NULL) OR ([Sex] = @Original_Sex)) AND ((@IsNull_JobID = 1 AND [JobID] IS NULL) OR ([JobID] = @Original_JobID)) AND ((@IsNull_BirthDate = 1 AND [BirthDate] IS NULL) OR ([BirthDate] = @Original_BirthDate)) AND ((@IsNull_HireDate = 1 AND [HireDate] IS NULL) OR ([HireDate] = @Original_HireDate)) AND ((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_PhoneNo = 1 AND [PhoneNo] IS NULL) OR ([PhoneNo] = @Original_PhoneNo)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ((@IsNull_EmailAddress = 1 AND [EmailAddress] IS NULL) OR ([EmailAddress] = @Original_EmailAddress)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [ShopInfo] SET [ShopName] = @ShopName, [Telephone] = @Telephone, [OwnerName] = @OwnerName, [Location] = @Location, [Email] = @Email, [CreatedBy] = @CreatedBy, [CreatedDate] = @CreatedDate, [ModifiedBy] = @ModifiedBy, [ModifiedDate] = @ModifiedDate WHERE (([Id] = @Original_Id) AND ([ShopName] = @Original_ShopName) AND ([Telephone] = @Original_Telephone) AND ((@IsNull_OwnerName = 1 AND [OwnerName] IS NULL) OR ([OwnerName] = @Original_OwnerName)) AND ([Location] = @Original_Location) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_CreatedBy = 1 AND [CreatedBy] IS NULL) OR ([CreatedBy] = @Original_CreatedBy)) AND ((@IsNull_CreatedDate = 1 AND [CreatedDate] IS NULL) OR ([CreatedDate] = @Original_CreatedDate)) AND ((@IsNull_ModifiedBy = 1 AND [ModifiedBy] IS NULL) OR ([ModifiedBy] = @Original_ModifiedBy)) AND ((@IsNull_ModifiedDate = 1 AND [ModifiedDate] IS NULL) OR ([ModifiedDate] = @Original_ModifiedDate)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [ExpiryDates] ([ProductID], [Quantity], [ExpiryDate], [OrderDetailsID]) VALUES (@ProductID, @Quantity, @ExpiryDate, @OrderDetailsID);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [sales] SET [CustomerID] = @CustomerID, [EmployeeID] = @EmployeeID, [SalesDate] = @SalesDate, [SalesTime] = @SalesTime, [PaymentType] = @PaymentType, [TotalAmount] = @TotalAmount, [PriceOffset] = @PriceOffset, [SaleType] = @SaleType WHERE (([SalesID] = @Original_SalesID) AND ((@IsNull_CustomerID = 1 AND [CustomerID] IS NULL) OR ([CustomerID] = @Original_CustomerID)) AND ((@IsNull_EmployeeID = 1 AND [EmployeeID] IS NULL) OR ([EmployeeID] = @Original_EmployeeID)) AND ([SalesDate] = @Original_SalesDate) AND ([SalesTime] = @Original_SalesTime) AND ((@IsNull_PaymentType = 1 AND [PaymentType] IS NULL) OR ([PaymentType] = @Original_PaymentType)) AND ([TotalAmount] = @Original_TotalAmount) AND ((@IsNull_PriceOffset = 1 AND [PriceOffset] IS NULL) OR ([PriceOffset] = @Original_PriceOffset)) AND ((@IsNull_SaleType = 1 AND [SaleType] IS NULL) OR ([SaleType] = @Original_SaleType)));
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[orderdetails] ([OrderID], [ProductID], [UnitPrice], [Quantity], [Discount], [ExpiryDate]) VALUES (@OrderID, @ProductID, @UnitPrice, @Quantity, @Discount, @ExpiryDate);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [company_orders] SET [SubplierID] = @SubplierID, [EmployeeID] = @EmployeeID, [OrderDate] = @OrderDate, [RequiredDate] = @RequiredDate, [TotalAmount] = @TotalAmount WHERE (([OrderID] = @Original_OrderID) AND ((@IsNull_SubplierID = 1 AND [SubplierID] IS NULL) OR ([SubplierID] = @Original_SubplierID)) AND ([EmployeeID] = @Original_EmployeeID) AND ([OrderDate] = @Original_OrderDate) AND ((@IsNull_RequiredDate = 1 AND [RequiredDate] IS NULL) OR ([RequiredDate] = @Original_RequiredDate)) AND ((@IsNull_TotalAmount = 1 AND [TotalAmount] IS NULL) OR ([TotalAmount] = @Original_TotalAmount)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [Location] ([LocationName], [Description]) VALUES (@LocationName, @Description); SELECT LocationID, LocationName, Desc
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [usergroups] ([GroupName], [Description], [GroupMenus]) VALUES (@GroupName, @Description, @GroupMenus);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [salesdetails] SET [SalesID] = @SalesID, [ProductID] = @ProductID, [UnitPrice] = @UnitPrice, [Quantity] = @Quantity, [Discount] = @Discount WHERE (([SalesID] = @Original_SalesID) AND ([ProductID] = @Original_ProductID) AND ([UnitPrice] = @Original_UnitPrice) AND ([Quantity] = @Original_Quantity) AND ((@IsNull_Discount = 1 AND [Discount] IS NULL) OR ([Discount] = @Original_Discount)));
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[tblMenu] ([menuName], [menuText]) VALUES (@menuName, @menuText);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [ExpenseType] ([TypeName], [Description], [CreatedBy], [CreatedDate], [ModifiedBy], [ModifiedDate]) VALUES (@TypeName, @Description, @CreatedBy, @CreatedDate, @ModifiedBy, @ModifiedDate);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: UPDATE userstbl SET Passwd = @Passwd WHERE (Userid = @Userid);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [suppliers] ([CompanyName], [ContactName], [Address], [Country], [PhoneNO], [Fax], [HomePage], [EmailAddress]) VALUES (@CompanyName, @ContactName, @Address, @Country, @PhoneNO, @Fax, @HomePage, @EmailAddress);
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                  Source: pd9EeXdsQtNb3dQ.exeBinary or memory string: INSERT INTO [dbo].[categories] ([CateryName], [Description], [Picture]) VALUES (@CateryName, @Description, @Picture); SELECT Categ
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.330041590.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000002.00000000.326960241.0000000000332000.00000002.00020000.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000000.328731551.0000000000A92000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Jobs] SET [JobName] = @JobName, [Description] = @Description WHERE (([JobID] = @Original_JobID) AND ((@IsNull_JobName = 1 AND [JobName] IS NULL) OR ([JobName] = @Original_JobName)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
                  Source: pd9EeXdsQtNb3dQ.exeVirustotal: Detection: 14%
                  Source: pd9EeXdsQtNb3dQ.exeReversingLabs: Detection: 51%
                  Source: pd9EeXdsQtNb3dQ.exeString found in binary or memory: About9HelpToolStripMenuItem1.Image-HelpToolStripMenuItem1
                  Source: unknownProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe 'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe'
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: pd9EeXdsQtNb3dQ.exeStatic file information: File size 2330624 > 1048576
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x234a00
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: pd9EeXdsQtNb3dQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\megrKadQRn\src\obj\Debug\IMethodMessage.pdb source: pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533659D push esp; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533642B push ebp; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05336461 push ebp; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053364FF push esp; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053364EC push ebp; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533663E push ebx; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053366BD push ebx; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053366FF push edx; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05336977 push eax; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05335974 pushad ; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05336947 push ecx; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053369AE push eax; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053380E4 push 3400035Eh; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_053368EC push ecx; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533639B push esi; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_0533629F push edi; ret
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E7CA9 push D0456990h; iretd
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_059E6639 push D0456990h; iretd
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013C7A37 push edi; retn 0000h
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141011E push ds; retf
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141CBC2 push 8BFFFFFFh; retf
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_0141F270 push esp; iretd
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05330A73 rdtsc
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWindow / User API: threadDelayed 666
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWindow / User API: threadDelayed 9153
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6476Thread sleep time: -101282s >= -30000s
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6532Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864Thread sleep time: -14757395258967632s >= -30000s
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868Thread sleep count: 666 > 30
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6868Thread sleep count: 9153 > 30
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe TID: 6864Thread sleep count: 40 > 30
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 101282
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeThread delayed: delay time: 922337203685477
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: pd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 0_2_05330A73 rdtsc
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeCode function: 3_2_013CC538 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeMemory written: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeProcess created: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: pd9EeXdsQtNb3dQ.exe, 00000003.00000002.585985572.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6472, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pd9EeXdsQtNb3dQ.exe PID: 6636, type: MEMORY
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pd9EeXdsQtNb3dQ.exe.390c790.3.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  pd9EeXdsQtNb3dQ.exe14%VirustotalBrowse
                  pd9EeXdsQtNb3dQ.exe52%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  3.2.pd9EeXdsQtNb3dQ.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://NtZtA8FE2WmoFQd.com0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://DXvqav.com0%Avira URL Cloudsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope0%Avira URL Cloudsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://mail.iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://tempuri.org/Shops_DBDataSet.xsd0%Avira URL Cloudsafe
                  https://api.ipify.org%$0%Avira URL Cloudsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iykmoreentrprise.org
                  		66.70.204.222
                  		truetrue
                    		unknown
                    mail.iykmoreentrprise.org
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://iykmoreentrprise.orgpd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://DynDns.comDynDNSpd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://cps.letsencrypt.org0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://NtZtA8FE2WmoFQd.compd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588834930.00000000033C6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hapd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://DXvqav.compd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://r3.o.lencr.org0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPropepd9EeXdsQtNb3dQ.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%GETMozilla/5.0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepd9EeXdsQtNb3dQ.exe, 00000000.00000002.331949813.00000000027F1000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zippd9EeXdsQtNb3dQ.exe, 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, pd9EeXdsQtNb3dQ.exe, 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csspd9EeXdsQtNb3dQ.exe, 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmpfalse
                          		high
                          http://mail.iykmoreentrprise.orgpd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Shops_DBDataSet.xsdpd9EeXdsQtNb3dQ.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%$pd9EeXdsQtNb3dQ.exe, 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://cps.root-x1.letsencrypt.org0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588712219.0000000003398000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://r3.i.lencr.org/0pd9EeXdsQtNb3dQ.exe, 00000003.00000002.588755539.00000000033A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          66.70.204.222
                          		iykmoreentrprise.orgCanada
                          		16276OVHFRtrue

                          General Information

                          Joe Sandbox Version:32.0.0 Black Diamond
                          Analysis ID:404170
                          Start date:04.05.2021
                          Start time:19:12:16
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 14s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:pd9EeXdsQtNb3dQ.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 93%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 92.122.145.220, 13.64.90.137, 104.43.193.48, 2.23.155.184, 2.23.155.241, 2.23.155.219, 2.23.155.240, 20.82.210.154, 92.122.213.247, 92.122.213.194, 205.185.216.10, 205.185.216.42, 52.155.217.156, 20.54.26.129, 23.57.80.111
                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          19:13:04API Interceptor677x Sleep call for process: pd9EeXdsQtNb3dQ.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          66.70.204.222SecuriteInfo.com.W32.MSIL_Troj.ASI.genEldorado.27642.exeGet hashmaliciousBrowse
                            MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                              FFrIJMwrI9cxeIZ.exeGet hashmaliciousBrowse
                                cljz48xwqb2VSBN.exeGet hashmaliciousBrowse
                                  QTY 98657 RFQ MANDATE 020521.0003YDK.exeGet hashmaliciousBrowse
                                    foakTEjUOvL9nBY.exeGet hashmaliciousBrowse
                                      n4QstFh7YkjVcrU.exeGet hashmaliciousBrowse
                                        AVuOP2vLzIMRG88.exeGet hashmaliciousBrowse
                                          316e3796_by_Libranalysis.exeGet hashmaliciousBrowse
                                            GQTY 98657 RFQ MANDATE 28421.02AWYD.exeGet hashmaliciousBrowse
                                              VJNPltkyHyI3CCo.exeGet hashmaliciousBrowse
                                                0L2qr7kJMh40sxq.exeGet hashmaliciousBrowse
                                                  ApuE9QrdQxe7Um6.exeGet hashmaliciousBrowse
                                                    77iET1jNLJyV8ez.exeGet hashmaliciousBrowse
                                                      bOkrXdoYekZPyWI.exeGet hashmaliciousBrowse
                                                        ayZYB5SkqMPA06M.exeGet hashmaliciousBrowse
                                                          fyZ6iHys7ClIHFR.exeGet hashmaliciousBrowse
                                                            uMLNLd9kgPez84h.exeGet hashmaliciousBrowse
                                                              YQfInBo2DDpDfIX.exeGet hashmaliciousBrowse
                                                                ORDER 700198.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  OVHFROutstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                  • 51.89.73.159
                                                                  SecuriteInfo.com.W32.MSIL_Troj.ASI.genEldorado.27642.exeGet hashmaliciousBrowse
                                                                  • 66.70.204.222
                                                                  Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                  • 51.89.73.159
                                                                  Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                  • 51.89.73.159
                                                                  New Order Request_0232147.exeGet hashmaliciousBrowse
                                                                  • 149.202.85.210
                                                                  Transcation03232016646pdf.exeGet hashmaliciousBrowse
                                                                  • 79.137.109.121
                                                                  5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 51.77.73.218
                                                                  MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                                                                  • 66.70.204.222
                                                                  5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 51.77.73.218
                                                                  51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 51.77.73.218
                                                                  51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  d192feb6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13
                                                                  94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 167.114.113.13

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pd9EeXdsQtNb3dQ.exe.log
                                                                  Process:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.607400063403851
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:pd9EeXdsQtNb3dQ.exe
                                                                  File size:2330624
                                                                  MD5:3dad3d4918e28ded77c3e2e93a42665f
                                                                  SHA1:8b16dba4992b75a303f63a09d8a41ac99f28ce5c
                                                                  SHA256:1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
                                                                  SHA512:57173561296c538c174c3299ea6b64156c48977d8f958f86f14578d4a630ea80e7b6b890e6d1a21f94a1d556173db442b953b685de910f25d886cdeda88b3132
                                                                  SSDEEP:24576:sPlzZc9mZUzZZE1XcEoLfOo5MkdoG1eJk14kocZmPBDmIO:sPlz2tZauEoL3McoG1gcw3d
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..J#..D.......i#.. ....#...@.. ........................$...........@................................

                                                                  File Icon

                                                                  Icon Hash:07032d1f0527471b

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x636912
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x60909F0A [Tue May 4 01:10:34 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2368c00x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2380000x41e8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x23e0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2367880x1c.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x2349180x234a00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x2380000x41e80x4200False0.514441287879data5.44364934449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x23e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x2381400x468GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x2385b80x10a8data
                                                                  RT_ICON0x2396700x25a8data
                                                                  RT_GROUP_ICON0x23bc280x30data
                                                                  RT_VERSION0x23bc680x380data
                                                                  RT_MANIFEST0x23bff80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright Gilbert Adjin Frimpong
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameIMethodMessage.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyNameGilbert Adjin
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameShop Manager
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionShop Manager
                                                                  OriginalFilenameIMethodMessage.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  05/04/21-19:13:07.551654ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.586777ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                  05/04/21-19:13:07.590236ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.625531ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                                  05/04/21-19:13:07.628818ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.664673ICMP449ICMP Time-To-Live Exceeded in Transit130.117.49.165192.168.2.6
                                                                  05/04/21-19:13:07.665430ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.706276ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.18192.168.2.6
                                                                  05/04/21-19:13:07.706835ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.753450ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.53192.168.2.6
                                                                  05/04/21-19:13:07.754164ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.800340ICMP449ICMP Time-To-Live Exceeded in Transit130.117.15.66192.168.2.6
                                                                  05/04/21-19:13:07.800797ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.869203ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.79192.168.2.6
                                                                  05/04/21-19:13:07.869689ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.925619ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                                                  05/04/21-19:13:07.926043ICMP384ICMP PING192.168.2.62.23.155.184
                                                                  05/04/21-19:13:07.981484ICMP408ICMP Echo Reply2.23.155.184192.168.2.6

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 19:14:51.980122089 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.110054970 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.110392094 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.364695072 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.367636919 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.497628927 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.500775099 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.632188082 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.688940048 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.813638926 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.951697111 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.951724052 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.951740980 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:52.952095985 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:52.962678909 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.092824936 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.151324987 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.413399935 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.543329954 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.546207905 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.676331997 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.677742004 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.817493916 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.819114923 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:53.949096918 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:53.949945927 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.084723949 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.086483002 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.216568947 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.218698025 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.220149994 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.220159054 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.220666885 CEST49749587192.168.2.666.70.204.222
                                                                  May 4, 2021 19:14:54.348767996 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.349998951 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.350048065 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.350409985 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.352190018 CEST5874974966.70.204.222192.168.2.6
                                                                  May 4, 2021 19:14:54.404773951 CEST49749587192.168.2.666.70.204.222

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 19:12:55.261626959 CEST53550748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:55.308217049 CEST53545138.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:55.551229000 CEST6204453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:55.602710962 CEST53620448.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:56.129103899 CEST6379153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:56.178004980 CEST53637918.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:57.219885111 CEST6426753192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:57.268503904 CEST53642678.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:58.298722029 CEST4944853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:58.347269058 CEST53494488.8.8.8192.168.2.6
                                                                  May 4, 2021 19:12:59.664602041 CEST6034253192.168.2.68.8.8.8
                                                                  May 4, 2021 19:12:59.716080904 CEST53603428.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:00.875519037 CEST6134653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:00.924422979 CEST53613468.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:01.798768997 CEST5177453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:01.847732067 CEST53517748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:02.920011044 CEST5602353192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:02.977190018 CEST53560238.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:05.301472902 CEST5838453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:05.353072882 CEST53583848.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:06.209592104 CEST6026153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:06.261039972 CEST53602618.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:07.310122013 CEST5606153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:07.358989000 CEST53560618.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:07.479265928 CEST5833653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:07.547488928 CEST53583368.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:08.400338888 CEST5378153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:08.449090004 CEST53537818.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:09.320982933 CEST5406453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:09.378413916 CEST53540648.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:10.372736931 CEST5281153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:10.424382925 CEST53528118.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:11.464569092 CEST5529953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:11.516076088 CEST53552998.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:12.625581026 CEST6374553192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:12.674526930 CEST53637458.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:13.907864094 CEST5005553192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:13.956675053 CEST53500558.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:14.833376884 CEST6137453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:14.881973028 CEST53613748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:29.440428972 CEST5033953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:29.489309072 CEST53503398.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:33.206162930 CEST6330753192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:33.265320063 CEST53633078.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:50.792989016 CEST4969453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:50.841618061 CEST53496948.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:50.977421045 CEST5498253192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:51.106905937 CEST53549828.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:51.666131020 CEST5001053192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:51.879602909 CEST53500108.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:52.023197889 CEST6371853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:52.095563889 CEST53637188.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:52.414561033 CEST6211653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:52.474335909 CEST53621168.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:52.947563887 CEST6381653192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:53.231540918 CEST53638168.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:53.776989937 CEST5501453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:53.834268093 CEST53550148.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:54.380311966 CEST6220853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:54.431982040 CEST53622088.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:55.107546091 CEST5757453192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:55.165186882 CEST53575748.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:56.469089031 CEST5181853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:56.532123089 CEST53518188.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:58.452529907 CEST5662853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:58.512274027 CEST53566288.8.8.8192.168.2.6
                                                                  May 4, 2021 19:13:59.010509968 CEST6077853192.168.2.68.8.8.8
                                                                  May 4, 2021 19:13:59.059247017 CEST53607788.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:05.857558966 CEST5379953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:05.918920994 CEST53537998.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:37.559355021 CEST5468353192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:37.611212015 CEST53546838.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:38.171545029 CEST5932953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:38.251847029 CEST53593298.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:39.192359924 CEST6402153192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:39.267153025 CEST53640218.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:51.694025040 CEST5612953192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:51.767874002 CEST53561298.8.8.8192.168.2.6
                                                                  May 4, 2021 19:14:51.796029091 CEST5817753192.168.2.68.8.8.8
                                                                  May 4, 2021 19:14:51.866108894 CEST53581778.8.8.8192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 4, 2021 19:14:51.694025040 CEST192.168.2.68.8.8.80x9564Standard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)
                                                                  May 4, 2021 19:14:51.796029091 CEST192.168.2.68.8.8.80xaafeStandard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 4, 2021 19:14:51.767874002 CEST8.8.8.8192.168.2.60x9564No error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                  May 4, 2021 19:14:51.767874002 CEST8.8.8.8192.168.2.60x9564No error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)
                                                                  May 4, 2021 19:14:51.866108894 CEST8.8.8.8192.168.2.60xaafeNo error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                  May 4, 2021 19:14:51.866108894 CEST8.8.8.8192.168.2.60xaafeNo error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  May 4, 2021 19:14:52.364695072 CEST5874974966.70.204.222192.168.2.6220-server.wlcserver.com ESMTP Exim 4.94 #2 Tue, 04 May 2021 21:14:52 +0400
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 4, 2021 19:14:52.367636919 CEST49749587192.168.2.666.70.204.222EHLO 468325
                                                                  May 4, 2021 19:14:52.497628927 CEST5874974966.70.204.222192.168.2.6250-server.wlcserver.com Hello 468325 [84.17.52.3]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-X_PIPE_CONNECT
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 4, 2021 19:14:52.500775099 CEST49749587192.168.2.666.70.204.222STARTTLS
                                                                  May 4, 2021 19:14:52.632188082 CEST5874974966.70.204.222192.168.2.6220 TLS go ahead

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6472 Parent PID: 5936

                                                                  General

                                                                  Start time:19:13:01
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe'
                                                                  Imagebase:0x330000
                                                                  File size:2330624 bytes
                                                                  MD5 hash:3DAD3D4918E28DED77C3E2E93A42665F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.333313035.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.332108343.0000000002848000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6620 Parent PID: 6472

                                                                  General

                                                                  Start time:19:13:06
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Imagebase:0x330000
                                                                  File size:2330624 bytes
                                                                  MD5 hash:3DAD3D4918E28DED77C3E2E93A42665F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Analysis Process: pd9EeXdsQtNb3dQ.exe PID: 6636 Parent PID: 6472

                                                                  General

                                                                  Start time:19:13:07
                                                                  Start date:04/05/2021
                                                                  Path:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\pd9EeXdsQtNb3dQ.exe
                                                                  Imagebase:0xa90000
                                                                  File size:2330624 bytes
                                                                  MD5 hash:3DAD3D4918E28DED77C3E2E93A42665F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.587167948.0000000003031000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.582976077.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >