Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe

Overview

General Information

Sample name:BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
Analysis ID:1500932
MD5:7f875e9692c89a590bec32494693d763
SHA1:8dc17de352faefc31826e4b2de82f2bc25ce3883
SHA256:430ca931fb30ead2352f1f6cc4c832d5e83d0586818e47febd3d9d2dd83950de
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe" MD5: 7F875E9692C89A590BEC32494693D763)
    • powershell.exe (PID: 2616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4496651136.0000000002CDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x304c6:$s2: GetPrivateProfileString
                • 0x2fbc5:$s3: get_OSFullName
                • 0x31203:$s5: remove_Key
                • 0x31392:$s5: remove_Key
                • 0x32273:$s6: FtpWebRequest
                • 0x330b5:$s7: logins
                • 0x33627:$s7: logins
                • 0x3630a:$s7: logins
                • 0x363ea:$s7: logins
                • 0x37ce6:$s7: logins
                • 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 17 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, ParentProcessId: 6332, ParentProcessName: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", ProcessId: 2616, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, ParentProcessId: 6332, ParentProcessName: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", ProcessId: 2616, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, ParentProcessId: 6332, ParentProcessName: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe", ProcessId: 2616, ProcessName: powershell.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeAvira: detected
                  Found malware configuration
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}
                  Multi AV Scanner detection for submitted file
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeReversingLabs: Detection: 23%
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeVirustotal: Detection: 37%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeJoe Sandbox ML: detected
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4x nop then jmp 068741B5h0_2_06873956

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 50.87.144.157 50.87.144.157
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: beirutrest.com
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002CDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://beirutrest.com
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2069896097.000000000252E000.00000004.00000800.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, n00.cs.Net Code: lGCzgIzdr
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, n00.cs.Net Code: lGCzgIzdr

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_04A8DFB80_2_04A8DFB8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_04A86C800_2_04A86C80
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_04A86C710_2_04A86C71
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_04A8DFA80_2_04A8DFA8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_04A848C40_2_04A848C4
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_06870EE80_2_06870EE8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_068718890_2_06871889
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_068718980_2_06871898
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EEE5C84_2_00EEE5C8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EEA9E04_2_00EEA9E0
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EE4A584_2_00EE4A58
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EEDD384_2_00EEDD38
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EE3E404_2_00EE3E40
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EE41884_2_00EE4188
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068CA4D54_2_068CA4D5
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068C89704_2_068C8970
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068CB5F84_2_068CB5F8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068CD3F04_2_068CD3F0
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D7D804_2_068D7D80
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D55A04_2_068D55A0
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D65F04_2_068D65F0
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068DB2484_2_068DB248
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D23504_2_068D2350
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068DC1904_2_068DC190
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D76A04_2_068D76A0
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D5CF84_2_068D5CF8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068DE3A84_2_068DE3A8
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D00404_2_068D0040
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D00064_2_068D0006
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_068D01604_2_068D0160
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2069896097.000000000252E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2069896097.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2074656852.0000000006B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2057831425.000000000080E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2074931293.0000000008427000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2073332166.0000000005040000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4495058592.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeBinary or memory string: OriginalFilenamemlbo.exeB vs BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, xU0gFtUZqtk2agxQY9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, BJCehrLTbiRMjcNY6M.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, BJCehrLTbiRMjcNY6M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, BJCehrLTbiRMjcNY6M.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, xU0gFtUZqtk2agxQY9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, BJCehrLTbiRMjcNY6M.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, BJCehrLTbiRMjcNY6M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, BJCehrLTbiRMjcNY6M.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm4obhw3.kei.ps1Jump to behavior
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeReversingLabs: Detection: 23%
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeVirustotal: Detection: 37%
                  Source: unknownProcess created: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, BJCehrLTbiRMjcNY6M.cs.Net Code: zhekQqkZd9 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, BJCehrLTbiRMjcNY6M.cs.Net Code: zhekQqkZd9 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.5040000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.24f9550.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_04A88AEE push 8B5004A8h; iretd 0_2_04A88AF3
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_06872F20 push eax; retf 0_2_06872F21
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 0_2_0687735D push FFFFFF8Bh; iretd 0_2_0687735F
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeCode function: 4_2_00EE0C55 push edi; retf 4_2_00EE0C7A
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeStatic PE information: section name: .text entropy: 7.97638614028424
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, impLQT6mt3Cp1WMbyL.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pu0NbB7HCs', 'KyjN7kJCyY', 'HKhNzmoBrl', 'LX0h2CIdY2', 'B8ehZbEb5I', 'jgxhNMI8qx', 'cIDhhGlj4U', 'OFkGKmk5TUHup4DhVFg'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, xU0gFtUZqtk2agxQY9.csHigh entropy of concatenated method names: 'aZs1i7aWJ2', 'D3D1GhQqjS', 'mEI1SCqawN', 'uc71xAhqU8', 'jX11TtHNSL', 'Qc016ALZMH', 'Nvs15RSGNJ', 'KhS1mF4Ec2', 'Vtx1bqRmA4', 'Xag17N9taI'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, v9o8BhaOSalRh3OUFeW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qkpAibFvAT', 'YwHAGsNARB', 'saHASDLJYn', 'TXOAxu3cll', 'R2QATF8VWc', 'XPFA6e4MoX', 'YijA5qDO14'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, VXStFOh1lvwAhANhj5.csHigh entropy of concatenated method names: 'sAGJqfXXcZ', 'AN8JI7V1E9', 'bgftBKjST3', 'L9ltsGfNEh', 'WAatuEuput', 'fsFtWK8WsH', 'AyttEvUn5X', 'wvdteAT5Bx', 'gLqtXZrMMa', 'rbbtDUKTHt'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, aVVUWPa5q61BJGnglmH.csHigh entropy of concatenated method names: 'RPRVwTIjQO', 'uA9VrkuaqW', 'ujeVQGHmbT', 'tr1Vpixnqb', 'GZIVqnugwq', 'VOlVa7ymyi', 'LV6VIRJdUx', 'NkuVLKkdfm', 'Rb7VF1dhFr', 'N0hVO5f2eJ'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, JWK6eM19hNPWadxom1.csHigh entropy of concatenated method names: 'TMkdmZcpJb', 'Xgvd7EaREM', 'SIl92PUiyG', 'tS49ZiGA6k', 'H8EdvsyvDa', 'IMld3wnCui', 'jMadlUSgdL', 'hAMdidLpOX', 'btZdGrNxu7', 'GiXdSBogf1'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, BJCehrLTbiRMjcNY6M.csHigh entropy of concatenated method names: 'bL6hohKLM1', 'CNHhKampDc', 'BCch1pD9JF', 'gt7htMfOGT', 'UpEhJCWKsm', 'QHChHw6IAh', 'vTrh8sgu4T', 'R3Vhc7x3YW', 'CYXh05q7R7', 'sbDhn3BhwR'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, hBCZLdBYFJKvT03nHI.csHigh entropy of concatenated method names: 'blYtphZE9g', 'Y9ntaGHEW5', 'XDmtLfgb3R', 'wp6tFP45xm', 'R98tCifOYp', 'VWxtjNAaqh', 'Y2Ltd1GpZZ', 'HJKt9bQVwd', 'JWstVV1ETB', 'dlUtAk1SMC'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, LowsqtCQiLJptw4SpD.csHigh entropy of concatenated method names: 'fkm8KZwUHJ', 'Fnx8tAJsmN', 'Iq78Hv1J0B', 'bhDH7WjBAD', 'PxMHz8YyWy', 'tkO822OtmN', 'Nj68Z2eBam', 'I3H8NHlGs0', 'KIT8h8XD9H', 'hnR8kahhdg'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, S9gpkOisHeI05m3iUD.csHigh entropy of concatenated method names: 'OmCdnKLyjw', 'aGydYresSZ', 'ToString', 'tkhdKJc92p', 'ipOd1sOMyU', 'YTwdtC7lKi', 'lZ1dJQTklG', 'rcidHX3TRA', 'XN6d8olBcW', 'kK6dclINM4'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, ogJ49Y9FHLTnqwLw9b.csHigh entropy of concatenated method names: 'BlH9KB0IEa', 'Gcg91GHfut', 'gvt9tnaljX', 'vrj9JpYYCO', 'C0i9HAtfto', 'FAg982X1Op', 'LZK9cSDMNa', 'si690WRE7F', 'RuC9nnXQr0', 'X4E9YfXkRn'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, o31gZ7DvYrI18XYuFZ.csHigh entropy of concatenated method names: 'eC89gGVwMk', 'h5H9P6nMsw', 'vsX9BLvAc3', 'nmu9s8TN5D', 'i889iyl3BO', 'BiK9ucYhsG', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, EmfNhAEIQ8HQg85dNT.csHigh entropy of concatenated method names: 'je1fLiYfw6', 'XnEfFH7Mkn', 'xO6fgPphOH', 's0HfPdNvNF', 'Qelfs0S6Vu', 'jp3fuHTtkH', 'w06fEsfHl7', 'vUhfeCJT5T', 'SEvfDHSBno', 'cgVfvQGU4V'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, bioOLd45rPBUc4mvK8.csHigh entropy of concatenated method names: 'Dispose', 'TenZbEQUmt', 'yWENPtlYCL', 'GQYRRQNL62', 'qDcZ7tV0dl', 'zm3ZzUwhnc', 'ProcessDialogKey', 'ysXN2tBKOH', 'KX7NZ5j9oB', 'mCSNNDeCtN'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, hq9t2mztHXoXls48dA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AIuVfUhdLe', 'qVwVCr4Hna', 'fkXVj3Oglg', 'bgeVdQy07d', 'GuqV98u3um', 'yG1VVcqR8M', 'WMrVA8CwLt'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, PnDJmBZ6PXJLAeXjwk.csHigh entropy of concatenated method names: 'XHm8wD7FBa', 'nTh8ryfgPO', 'NIs8QPu3ha', 'mEg8pjV2cI', 'og58qB2phu', 'iIw8aL3ueg', 'Lm78IMlbA6', 'zQ08LbG206', 'VRr8Fi49wI', 'JcE8OixF8J'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, QwpJBWraZi6Z0833Pm.csHigh entropy of concatenated method names: 'ySNHoslQJy', 'KHOH1q6YY0', 'ItAHJhqety', 'K2vH8GkQuh', 'E2wHc9hoiS', 'bMpJTcXh62', 'eT7J6UD8UR', 'ov3J5mG8qs', 'W9lJmMsKoc', 'YLwJbMH6ky'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, e9BZSWkLIUA9YGXxoY.csHigh entropy of concatenated method names: 'YoiVZITiF0', 'AphVhIo9Yd', 'ybXVkR15ZW', 'jTIVK9y9xH', 'adkV1LWIND', 'jwCVJAL5x2', 'ioNVHWwwL8', 'KGo95p00qX', 'AxH9mcDJ6C', 'daD9bBK1dr'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, KFHh3wyaqD2IO0r0Ko.csHigh entropy of concatenated method names: 'oKKZ8OdD8S', 'KQcZc8yX7G', 'VO9ZnMy5gt', 'aoKZYVKoD4', 'iNMZCyjyFN', 'Cw4Zj4N0Bc', 'dqasej1MycqDlnWFcL', 'hC8DLj72y71U0RZCf7', 'daCZZLhC9q', 'yggZhRhf3j'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.36cde80.3.raw.unpack, hneCu6mtxvA9GvWWkd.csHigh entropy of concatenated method names: 'X43Q7WaiR', 'KlXpRNpxm', 'BxeayyGFF', 'vjEIGfhep', 'YxTFVQAt9', 'fPBOAB0lN', 'TwyHBMIJJUtRYhZTug', 'cuuOL8yJUCX5WfCj9C', 'WSQ9WWhj2', 'McNADtfpE'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, impLQT6mt3Cp1WMbyL.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pu0NbB7HCs', 'KyjN7kJCyY', 'HKhNzmoBrl', 'LX0h2CIdY2', 'B8ehZbEb5I', 'jgxhNMI8qx', 'cIDhhGlj4U', 'OFkGKmk5TUHup4DhVFg'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, xU0gFtUZqtk2agxQY9.csHigh entropy of concatenated method names: 'aZs1i7aWJ2', 'D3D1GhQqjS', 'mEI1SCqawN', 'uc71xAhqU8', 'jX11TtHNSL', 'Qc016ALZMH', 'Nvs15RSGNJ', 'KhS1mF4Ec2', 'Vtx1bqRmA4', 'Xag17N9taI'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, v9o8BhaOSalRh3OUFeW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qkpAibFvAT', 'YwHAGsNARB', 'saHASDLJYn', 'TXOAxu3cll', 'R2QATF8VWc', 'XPFA6e4MoX', 'YijA5qDO14'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, VXStFOh1lvwAhANhj5.csHigh entropy of concatenated method names: 'sAGJqfXXcZ', 'AN8JI7V1E9', 'bgftBKjST3', 'L9ltsGfNEh', 'WAatuEuput', 'fsFtWK8WsH', 'AyttEvUn5X', 'wvdteAT5Bx', 'gLqtXZrMMa', 'rbbtDUKTHt'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, aVVUWPa5q61BJGnglmH.csHigh entropy of concatenated method names: 'RPRVwTIjQO', 'uA9VrkuaqW', 'ujeVQGHmbT', 'tr1Vpixnqb', 'GZIVqnugwq', 'VOlVa7ymyi', 'LV6VIRJdUx', 'NkuVLKkdfm', 'Rb7VF1dhFr', 'N0hVO5f2eJ'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, JWK6eM19hNPWadxom1.csHigh entropy of concatenated method names: 'TMkdmZcpJb', 'Xgvd7EaREM', 'SIl92PUiyG', 'tS49ZiGA6k', 'H8EdvsyvDa', 'IMld3wnCui', 'jMadlUSgdL', 'hAMdidLpOX', 'btZdGrNxu7', 'GiXdSBogf1'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, BJCehrLTbiRMjcNY6M.csHigh entropy of concatenated method names: 'bL6hohKLM1', 'CNHhKampDc', 'BCch1pD9JF', 'gt7htMfOGT', 'UpEhJCWKsm', 'QHChHw6IAh', 'vTrh8sgu4T', 'R3Vhc7x3YW', 'CYXh05q7R7', 'sbDhn3BhwR'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, hBCZLdBYFJKvT03nHI.csHigh entropy of concatenated method names: 'blYtphZE9g', 'Y9ntaGHEW5', 'XDmtLfgb3R', 'wp6tFP45xm', 'R98tCifOYp', 'VWxtjNAaqh', 'Y2Ltd1GpZZ', 'HJKt9bQVwd', 'JWstVV1ETB', 'dlUtAk1SMC'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, LowsqtCQiLJptw4SpD.csHigh entropy of concatenated method names: 'fkm8KZwUHJ', 'Fnx8tAJsmN', 'Iq78Hv1J0B', 'bhDH7WjBAD', 'PxMHz8YyWy', 'tkO822OtmN', 'Nj68Z2eBam', 'I3H8NHlGs0', 'KIT8h8XD9H', 'hnR8kahhdg'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, S9gpkOisHeI05m3iUD.csHigh entropy of concatenated method names: 'OmCdnKLyjw', 'aGydYresSZ', 'ToString', 'tkhdKJc92p', 'ipOd1sOMyU', 'YTwdtC7lKi', 'lZ1dJQTklG', 'rcidHX3TRA', 'XN6d8olBcW', 'kK6dclINM4'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, ogJ49Y9FHLTnqwLw9b.csHigh entropy of concatenated method names: 'BlH9KB0IEa', 'Gcg91GHfut', 'gvt9tnaljX', 'vrj9JpYYCO', 'C0i9HAtfto', 'FAg982X1Op', 'LZK9cSDMNa', 'si690WRE7F', 'RuC9nnXQr0', 'X4E9YfXkRn'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, o31gZ7DvYrI18XYuFZ.csHigh entropy of concatenated method names: 'eC89gGVwMk', 'h5H9P6nMsw', 'vsX9BLvAc3', 'nmu9s8TN5D', 'i889iyl3BO', 'BiK9ucYhsG', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, EmfNhAEIQ8HQg85dNT.csHigh entropy of concatenated method names: 'je1fLiYfw6', 'XnEfFH7Mkn', 'xO6fgPphOH', 's0HfPdNvNF', 'Qelfs0S6Vu', 'jp3fuHTtkH', 'w06fEsfHl7', 'vUhfeCJT5T', 'SEvfDHSBno', 'cgVfvQGU4V'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, bioOLd45rPBUc4mvK8.csHigh entropy of concatenated method names: 'Dispose', 'TenZbEQUmt', 'yWENPtlYCL', 'GQYRRQNL62', 'qDcZ7tV0dl', 'zm3ZzUwhnc', 'ProcessDialogKey', 'ysXN2tBKOH', 'KX7NZ5j9oB', 'mCSNNDeCtN'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, hq9t2mztHXoXls48dA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AIuVfUhdLe', 'qVwVCr4Hna', 'fkXVj3Oglg', 'bgeVdQy07d', 'GuqV98u3um', 'yG1VVcqR8M', 'WMrVA8CwLt'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, PnDJmBZ6PXJLAeXjwk.csHigh entropy of concatenated method names: 'XHm8wD7FBa', 'nTh8ryfgPO', 'NIs8QPu3ha', 'mEg8pjV2cI', 'og58qB2phu', 'iIw8aL3ueg', 'Lm78IMlbA6', 'zQ08LbG206', 'VRr8Fi49wI', 'JcE8OixF8J'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, QwpJBWraZi6Z0833Pm.csHigh entropy of concatenated method names: 'ySNHoslQJy', 'KHOH1q6YY0', 'ItAHJhqety', 'K2vH8GkQuh', 'E2wHc9hoiS', 'bMpJTcXh62', 'eT7J6UD8UR', 'ov3J5mG8qs', 'W9lJmMsKoc', 'YLwJbMH6ky'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, e9BZSWkLIUA9YGXxoY.csHigh entropy of concatenated method names: 'YoiVZITiF0', 'AphVhIo9Yd', 'ybXVkR15ZW', 'jTIVK9y9xH', 'adkV1LWIND', 'jwCVJAL5x2', 'ioNVHWwwL8', 'KGo95p00qX', 'AxH9mcDJ6C', 'daD9bBK1dr'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, KFHh3wyaqD2IO0r0Ko.csHigh entropy of concatenated method names: 'oKKZ8OdD8S', 'KQcZc8yX7G', 'VO9ZnMy5gt', 'aoKZYVKoD4', 'iNMZCyjyFN', 'Cw4Zj4N0Bc', 'dqasej1MycqDlnWFcL', 'hC8DLj72y71U0RZCf7', 'daCZZLhC9q', 'yggZhRhf3j'
                  Source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.6b20000.5.raw.unpack, hneCu6mtxvA9GvWWkd.csHigh entropy of concatenated method names: 'X43Q7WaiR', 'KlXpRNpxm', 'BxeayyGFF', 'vjEIGfhep', 'YxTFVQAt9', 'fPBOAB0lN', 'TwyHBMIJJUtRYhZTug', 'cuuOL8yJUCX5WfCj9C', 'WSQ9WWhj2', 'McNADtfpE'

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: docx.scrStatic PE information: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 6332, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 24C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 44C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 84D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 94D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 96D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: A6D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599563Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599446Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599179Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599030Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598920Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598672Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598563Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598438Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598328Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598218Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598094Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597000Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596891Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596766Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596656Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596547Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596407Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596078Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595969Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595641Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595516Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595391Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595172Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595063Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594719Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594483Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594375Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594266Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594156Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6245Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3291Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWindow / User API: threadDelayed 7622Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWindow / User API: threadDelayed 2213Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 3252Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7348Thread sleep count: 7622 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7348Thread sleep count: 2213 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599446s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599179s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -599030s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598920s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598438s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -598094s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -597000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -596078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595969s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595641s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595516s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595391s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -595063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594483s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe TID: 7344Thread sleep time: -594156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599563Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599446Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599179Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 599030Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598920Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598672Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598563Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598438Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598328Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598218Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 598094Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 597000Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596891Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596766Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596656Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596547Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596407Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 596078Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595969Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595641Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595516Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595391Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595172Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 595063Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594719Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594483Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594375Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594266Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeThread delayed: delay time: 594156Jump to behavior
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2057831425.0000000000842000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4495755481.00000000010D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeMemory written: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeProcess created: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4496651136.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 6332, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 4952, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 6332, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 4952, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 4.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.3503f90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.34c9970.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4496651136.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 6332, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe PID: 4952, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)13
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS111
                  Security Software Discovery                  		Distributed Component Object Model1
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials141
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe24%ReversingLabsByteCode-MSIL.Trojan.Generic
                  BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe37%VirustotalBrowse
                  BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe100%AviraHEUR/AGEN.1306920
                  BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://beirutrest.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  beirutrest.com
                  		50.87.144.157
                  		truetrue
                    		unknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.orgBULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org/tBULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000000.00000002.2069896097.000000000252E000.00000004.00000800.00020000.00000000.sdmp, BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://beirutrest.comBULK HARVEST - VESSEL PARTICULARS.docx.scr.exe, 00000004.00000002.4496651136.0000000002CDC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      50.87.144.157
                      		beirutrest.comUnited States
                      		46606UNIFIEDLAYER-AS-1UStrue
                      172.67.74.152
                      		api.ipify.orgUnited States
                      		13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1500932
                      Start date and time:2024-08-29 06:23:06 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 48s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@6/6@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 100
                      • Number of non-executed functions: 13
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      00:23:57API Interceptor11020363x Sleep call for process: BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe modified
                      00:23:59API Interceptor9x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      50.87.144.157Port Agency Appointment - VELOS ONYX.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                        UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                          BGC-2024-EST-001 & BGC-2024-DST-003.xlsx.scr.exeGet hashmaliciousAgentTeslaBrowse
                            V022.20.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                              E_QUOT_XLS_45-ELC205049A_P930M.xls.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                D121-D122-D123-D127-D128-D130-23-8-2024.xls.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                  MT.Hunter - Vessel's Details.doc.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    MV Catalina Particulars.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      AQUAVITA AIM - VSL's PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        MV KAI RUI - TC PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          172.67.74.152zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                                          • api.ipify.org/
                                          FormPlayer.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          PandaClient.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          golang-modules.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                          • api.ipify.org/?format=wef
                                          K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          stub.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          stub.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                          • api.ipify.org/?format=json

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          beirutrest.comPort Agency Appointment - VELOS ONYX.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          BGC-2024-EST-001 & BGC-2024-DST-003.xlsx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          V022.20.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 50.87.144.157
                                          E_QUOT_XLS_45-ELC205049A_P930M.xls.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 50.87.144.157
                                          D121-D122-D123-D127-D128-D130-23-8-2024.xls.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 50.87.144.157
                                          MT.Hunter - Vessel's Details.doc.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 50.87.144.157
                                          MV Catalina Particulars.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 50.87.144.157
                                          AQUAVITA AIM - VSL's PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          MV KAI RUI - TC PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          api.ipify.orgSecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          rARKMONEY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 172.67.74.152
                                          z55enyioma.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          https://request-label-13956753.pages.dev/help/contact/135346556695032Get hashmaliciousUnknownBrowse
                                          • 104.26.13.205
                                          file.exeGet hashmaliciousMeduza StealerBrowse
                                          • 104.26.12.205
                                          file.exeGet hashmaliciousMeduza StealerBrowse
                                          • 104.26.12.205
                                          1C24TDH_00017388.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          Revised PI 28 08 2024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          Port Agency Appointment - VELOS ONYX.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          UNIFIEDLAYER-AS-1USCatalina - Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                                          • 162.241.226.190
                                          http://pxe.wvs.mybluehost.me/wise/number-account-854630/pages/login.phpGet hashmaliciousUnknownBrowse
                                          • 50.87.253.221
                                          28082024.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 69.49.245.172
                                          https://shorturl.at/1l4XwGet hashmaliciousHTMLPhisherBrowse
                                          • 69.49.230.198
                                          https://assets-usa.mkt.dynamics.com/c9f731e3-0864-ef11-a66d-6045bd003021/digitalassets/standaloneforms/0424cf3e-7364-ef11-bfe2-6045bd055762Get hashmaliciousHTMLPhisherBrowse
                                          • 162.241.61.243
                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 162.240.81.18
                                          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 69.49.245.172
                                          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 69.49.245.172
                                          factura-630.900.exeGet hashmaliciousFormBookBrowse
                                          • 162.241.226.190
                                          CLOUDFLARENETUSCatalina - Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3
                                          Payment Advice.exeGet hashmaliciousFormBookBrowse
                                          • 172.67.210.102
                                          SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          Spec sheet.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3
                                          vYhaKbJF08.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.16.74

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eCatalina - Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 172.67.74.152
                                          pop.vbsGet hashmaliciousRemcosBrowse
                                          • 172.67.74.152
                                          rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                          • 172.67.74.152
                                          rARKMONEY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 172.67.74.152
                                          z55enyioma.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          http://identifier-vous456.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          https://1113a6f.netsolhost.com/Get hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          http://pub-0c5198abed8c43b8a5e3815e602f4134.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1172
                                          Entropy (8bit):5.354777075714867
                                          Encrypted:false
                                          SSDEEP:24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
                                          MD5:92C17FC0DE8449D1E50ED56DBEBAA35D
                                          SHA1:A617D392757DC7B1BEF28448B72CBD131CF4D0FB
                                          SHA-256:DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
                                          SHA-512:603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3geqewl.mfc.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0yy3yb5.33l.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti0ec2vn.jab.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm4obhw3.kei.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.96968456911182
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                                          File size:671'232 bytes
                                          MD5:7f875e9692c89a590bec32494693d763
                                          SHA1:8dc17de352faefc31826e4b2de82f2bc25ce3883
                                          SHA256:430ca931fb30ead2352f1f6cc4c832d5e83d0586818e47febd3d9d2dd83950de
                                          SHA512:08b8ad9c879456f167222d7508820925ea64985610fa9595db8351b83e8b2efcdd5e260ef9e8e885a71b0efbf0133984484ac4287bb326c9e83232263fd9aa6b
                                          SSDEEP:12288:2VVepom/97r1zsxaZhFnUX+AzXbZ+8XfTUWOhlFGcW:4y+AZhFQ5zrZ+mUlHh
                                          TLSH:80E4236442AD8B22DDFA47B968D04B2093FFB233650DEF296CC921DE4AB3B41551371B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.. ..........Z?... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:cd4c022d219a9901

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a3f5a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66CFE1FC [Thu Aug 29 02:50:36 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add al, 00h
                                          add eax, dword ptr [eax]
                                          add byte ptr [eax], al
                                          xor byte ptr [eax], al
                                          add byte ptr [eax+0000000Eh], al
                                          pushad
                                          add byte ptr [eax], al
                                          adc byte ptr [eax], 00000000h

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa3f080x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x1924.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa1f600xa2000a96e89dbb1a687d2dfc71509bf1c190bFalse0.9733931929976852data7.97638614028424IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa40000x19240x1a00eac3f468de2c7b14a9555ac790993447False0.8197115384615384data7.124419069601494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xa60000xc0x200a0e5df0ed077da44e37c7c2907adc9aaFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xa41000x12c4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9708576186511241
                                          RT_GROUP_ICON0xa53d40x14data1.05
                                          RT_VERSION0xa53f80x32cdata0.4273399014778325
                                          RT_MANIFEST0xa57340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 29, 2024 06:24:00.483495951 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:00.483526945 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:00.483769894 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:00.489193916 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:00.489209890 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:00.992239952 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:00.992315054 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:00.995832920 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:00.995841980 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:00.996090889 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:01.044910908 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:01.088505983 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:01.153729916 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:01.153780937 CEST44349706172.67.74.152192.168.2.5
                                          Aug 29, 2024 06:24:01.153857946 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:01.159681082 CEST49706443192.168.2.5172.67.74.152
                                          Aug 29, 2024 06:24:01.912136078 CEST4970821192.168.2.550.87.144.157
                                          Aug 29, 2024 06:24:01.916984081 CEST214970850.87.144.157192.168.2.5
                                          Aug 29, 2024 06:24:01.917088032 CEST4970821192.168.2.550.87.144.157
                                          Aug 29, 2024 06:24:01.928231955 CEST4970821192.168.2.550.87.144.157
                                          Aug 29, 2024 06:24:01.933263063 CEST214970850.87.144.157192.168.2.5
                                          Aug 29, 2024 06:24:01.933327913 CEST4970821192.168.2.550.87.144.157

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 29, 2024 06:24:00.468781948 CEST5761753192.168.2.51.1.1.1
                                          Aug 29, 2024 06:24:00.475406885 CEST53576171.1.1.1192.168.2.5
                                          Aug 29, 2024 06:24:01.745371103 CEST6148753192.168.2.51.1.1.1
                                          Aug 29, 2024 06:24:01.911338091 CEST53614871.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Aug 29, 2024 06:24:00.468781948 CEST192.168.2.51.1.1.10xd347Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                          Aug 29, 2024 06:24:01.745371103 CEST192.168.2.51.1.1.10x7d55Standard query (0)beirutrest.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Aug 29, 2024 06:24:00.475406885 CEST1.1.1.1192.168.2.50xd347No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                          Aug 29, 2024 06:24:00.475406885 CEST1.1.1.1192.168.2.50xd347No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                          Aug 29, 2024 06:24:00.475406885 CEST1.1.1.1192.168.2.50xd347No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                          Aug 29, 2024 06:24:01.911338091 CEST1.1.1.1192.168.2.50x7d55No error (0)beirutrest.com50.87.144.157A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • api.ipify.org

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549706172.67.74.1524434952C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                                          TimestampBytes transferredDirectionData
                                          2024-08-29 04:24:01 UTC155OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                          Host: api.ipify.org
                                          Connection: Keep-Alive
                                          2024-08-29 04:24:01 UTC211INHTTP/1.1 200 OK
                                          Date: Thu, 29 Aug 2024 04:24:01 GMT
                                          Content-Type: text/plain
                                          Content-Length: 11
                                          Connection: close
                                          Vary: Origin
                                          CF-Cache-Status: DYNAMIC
                                          Server: cloudflare
                                          CF-RAY: 8ba9c4ded97742db-EWR
                                          2024-08-29 04:24:01 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                          Data Ascii: 8.46.123.33


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:00:23:56
                                          Start date:29/08/2024
                                          Path:C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                                          Imagebase:0x140000
                                          File size:671'232 bytes
                                          MD5 hash:7F875E9692C89A590BEC32494693D763
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2070418758.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:00:23:57
                                          Start date:29/08/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                                          Imagebase:0x640000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:00:23:58
                                          Start date:29/08/2024
                                          Path:C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe"
                                          Imagebase:0x860000
                                          File size:671'232 bytes
                                          MD5 hash:7F875E9692C89A590BEC32494693D763
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4496651136.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4494909978.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4496651136.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:5
                                          Start time:00:23:58
                                          Start date:29/08/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:317
                                            Total number of Limit Nodes:13
                                            execution_graph 28044 4a819f8 28045 4a81a07 28044->28045 28048 4a81af0 28044->28048 28056 4a81ae1 28044->28056 28049 4a81b01 28048->28049 28050 4a81b24 28048->28050 28049->28050 28064 4a81d88 28049->28064 28068 4a81d78 28049->28068 28050->28045 28051 4a81b1c 28051->28050 28052 4a81d28 GetModuleHandleW 28051->28052 28053 4a81d55 28052->28053 28053->28045 28057 4a81af5 28056->28057 28058 4a81b24 28057->28058 28062 4a81d88 LoadLibraryExW 28057->28062 28063 4a81d78 LoadLibraryExW 28057->28063 28058->28045 28059 4a81b1c 28059->28058 28060 4a81d28 GetModuleHandleW 28059->28060 28061 4a81d55 28060->28061 28061->28045 28062->28059 28063->28059 28065 4a81d9c 28064->28065 28067 4a81dc1 28065->28067 28072 4a81550 28065->28072 28067->28051 28069 4a81d88 28068->28069 28070 4a81550 LoadLibraryExW 28069->28070 28071 4a81dc1 28069->28071 28070->28071 28071->28051 28073 4a81f68 LoadLibraryExW 28072->28073 28075 4a81fe1 28073->28075 28075->28067 28076 4a83d78 28077 4a83dbe 28076->28077 28081 4a83f47 28077->28081 28084 4a83f58 28077->28084 28078 4a83eab 28087 4a83680 28081->28087 28085 4a83f86 28084->28085 28086 4a83680 DuplicateHandle 28084->28086 28085->28078 28086->28085 28088 4a83fc0 DuplicateHandle 28087->28088 28089 4a83f86 28088->28089 28089->28078 28090 b94668 28091 b9467a 28090->28091 28092 b94686 28091->28092 28096 b94778 28091->28096 28101 b93e1c 28092->28101 28094 b946a5 28097 b9479d 28096->28097 28105 b94888 28097->28105 28109 b94878 28097->28109 28102 b93e27 28101->28102 28117 b9c394 28102->28117 28104 b9def7 28104->28094 28107 b948af 28105->28107 28106 b9498c 28106->28106 28107->28106 28113 b9449c 28107->28113 28111 b948af 28109->28111 28110 b9498c 28110->28110 28111->28110 28112 b9449c CreateActCtxA 28111->28112 28112->28110 28114 b95918 CreateActCtxA 28113->28114 28116 b959db 28114->28116 28118 b9c39f 28117->28118 28121 b9c3d4 28118->28121 28120 b9e0ad 28120->28104 28122 b9c3df 28121->28122 28125 b9c404 28122->28125 28124 b9e182 28124->28120 28126 b9c40f 28125->28126 28129 b9c434 28126->28129 28128 b9e285 28128->28124 28130 b9c43f 28129->28130 28131 b9f2e1 28130->28131 28134 4a83aa0 28130->28134 28139 4a83ab0 28130->28139 28131->28128 28135 4a83ad1 28134->28135 28136 4a83af5 28135->28136 28144 4a83c5e 28135->28144 28148 4a83c60 28135->28148 28136->28131 28140 4a83ad1 28139->28140 28141 4a83af5 28140->28141 28142 4a83c5e CreateWindowExW 28140->28142 28143 4a83c60 CreateWindowExW 28140->28143 28141->28131 28142->28141 28143->28141 28145 4a83c6d 28144->28145 28147 4a83ca7 28145->28147 28152 4a835b8 28145->28152 28147->28136 28150 4a83c6d 28148->28150 28149 4a83ca7 28149->28136 28150->28149 28151 4a835b8 CreateWindowExW 28150->28151 28151->28149 28153 4a835c3 28152->28153 28155 4a845b8 28153->28155 28156 4a836e4 28153->28156 28155->28155 28157 4a836ef 28156->28157 28161 4a863a0 28157->28161 28167 4a86388 28157->28167 28158 4a84a61 28158->28155 28163 4a864d1 28161->28163 28164 4a863d1 28161->28164 28162 4a863dd 28162->28158 28163->28158 28164->28162 28165 4a87600 CreateWindowExW 28164->28165 28166 4a875f1 CreateWindowExW 28164->28166 28165->28163 28166->28163 28169 4a863d1 28167->28169 28170 4a864d1 28167->28170 28168 4a863dd 28168->28158 28169->28168 28171 4a87600 CreateWindowExW 28169->28171 28172 4a875f1 CreateWindowExW 28169->28172 28170->28158 28171->28170 28172->28170 28173 6872492 28174 68724e8 28173->28174 28176 6872432 28173->28176 28175 6872756 28174->28175 28180 6873386 28174->28180 28214 6873328 28174->28214 28231 6873319 28174->28231 28181 6873314 28180->28181 28185 6873389 28180->28185 28182 687335e 28181->28182 28184 6873326 28181->28184 28183 6873366 28182->28183 28187 6873806 4 API calls 28182->28187 28188 6873946 2 API calls 28182->28188 28189 6873c43 2 API calls 28182->28189 28190 6873783 2 API calls 28182->28190 28191 6873bc2 2 API calls 28182->28191 28192 6873881 2 API calls 28182->28192 28193 687384d 2 API calls 28182->28193 28194 68739cd 2 API calls 28182->28194 28195 6873fab 2 API calls 28182->28195 28196 6873acb 2 API calls 28182->28196 28197 6873a28 2 API calls 28182->28197 28198 6874017 2 API calls 28182->28198 28199 6873c1b 2 API calls 28182->28199 28263 6873b06 28182->28263 28183->28175 28200 6873b06 2 API calls 28184->28200 28268 6873c1b 28184->28268 28273 6874017 28184->28273 28277 6873a28 28184->28277 28281 6873acb 28184->28281 28286 6873fab 28184->28286 28290 68739cd 28184->28290 28295 687384d 28184->28295 28300 6873881 28184->28300 28304 6873bc2 28184->28304 28309 6873783 28184->28309 28313 6873c43 28184->28313 28318 6873946 28184->28318 28322 6873806 28184->28322 28185->28175 28187->28183 28188->28183 28189->28183 28190->28183 28191->28183 28192->28183 28193->28183 28194->28183 28195->28183 28196->28183 28197->28183 28198->28183 28199->28183 28200->28183 28215 6873342 28214->28215 28217 6873b06 2 API calls 28215->28217 28218 6873806 4 API calls 28215->28218 28219 6873946 2 API calls 28215->28219 28220 6873c43 2 API calls 28215->28220 28221 6873783 2 API calls 28215->28221 28222 6873bc2 2 API calls 28215->28222 28223 6873881 2 API calls 28215->28223 28224 687384d 2 API calls 28215->28224 28225 68739cd 2 API calls 28215->28225 28226 6873fab 2 API calls 28215->28226 28227 6873acb 2 API calls 28215->28227 28228 6873a28 2 API calls 28215->28228 28229 6874017 2 API calls 28215->28229 28230 6873c1b 2 API calls 28215->28230 28216 6873366 28216->28175 28217->28216 28218->28216 28219->28216 28220->28216 28221->28216 28222->28216 28223->28216 28224->28216 28225->28216 28226->28216 28227->28216 28228->28216 28229->28216 28230->28216 28232 687335e 28231->28232 28234 6873326 28231->28234 28233 6873366 28232->28233 28249 6873b06 2 API calls 28232->28249 28250 6873806 4 API calls 28232->28250 28251 6873946 2 API calls 28232->28251 28252 6873c43 2 API calls 28232->28252 28253 6873783 2 API calls 28232->28253 28254 6873bc2 2 API calls 28232->28254 28255 6873881 2 API calls 28232->28255 28256 687384d 2 API calls 28232->28256 28257 68739cd 2 API calls 28232->28257 28258 6873fab 2 API calls 28232->28258 28259 6873acb 2 API calls 28232->28259 28260 6873a28 2 API calls 28232->28260 28261 6874017 2 API calls 28232->28261 28262 6873c1b 2 API calls 28232->28262 28233->28175 28235 6873b06 2 API calls 28234->28235 28236 6873806 4 API calls 28234->28236 28237 6873946 2 API calls 28234->28237 28238 6873c43 2 API calls 28234->28238 28239 6873783 2 API calls 28234->28239 28240 6873bc2 2 API calls 28234->28240 28241 6873881 2 API calls 28234->28241 28242 687384d 2 API calls 28234->28242 28243 68739cd 2 API calls 28234->28243 28244 6873fab 2 API calls 28234->28244 28245 6873acb 2 API calls 28234->28245 28246 6873a28 2 API calls 28234->28246 28247 6874017 2 API calls 28234->28247 28248 6873c1b 2 API calls 28234->28248 28235->28233 28236->28233 28237->28233 28238->28233 28239->28233 28240->28233 28241->28233 28242->28233 28243->28233 28244->28233 28245->28233 28246->28233 28247->28233 28248->28233 28249->28233 28250->28233 28251->28233 28252->28233 28253->28233 28254->28233 28255->28233 28256->28233 28257->28233 28258->28233 28259->28233 28260->28233 28261->28233 28262->28233 28264 6873b0c 28263->28264 28265 6873bf2 28264->28265 28329 6871710 28264->28329 28333 6871709 28264->28333 28265->28183 28269 6873bc6 28268->28269 28271 6871710 ResumeThread 28269->28271 28272 6871709 ResumeThread 28269->28272 28270 6873bf2 28270->28183 28271->28270 28272->28270 28274 6873faa 28273->28274 28274->28273 28337 6874388 28274->28337 28342 6874398 28274->28342 28355 6871e80 28277->28355 28359 6871e7b 28277->28359 28278 6873a4a 28278->28183 28282 6873ad4 28281->28282 28363 6871d90 28282->28363 28367 6871d88 28282->28367 28283 6873ed0 28288 6874388 2 API calls 28286->28288 28289 6874398 2 API calls 28286->28289 28287 6873faa 28287->28286 28288->28287 28289->28287 28291 68739d1 28290->28291 28293 6871d90 WriteProcessMemory 28291->28293 28294 6871d88 WriteProcessMemory 28291->28294 28292 6873a09 28293->28292 28294->28292 28296 687385d 28295->28296 28298 6871d90 WriteProcessMemory 28296->28298 28299 6871d88 WriteProcessMemory 28296->28299 28297 6873a09 28298->28297 28299->28297 28302 6871d90 WriteProcessMemory 28300->28302 28303 6871d88 WriteProcessMemory 28300->28303 28301 687387a 28301->28183 28302->28301 28303->28301 28305 6873bc8 28304->28305 28307 6871710 ResumeThread 28305->28307 28308 6871709 ResumeThread 28305->28308 28306 6873bf2 28306->28183 28307->28306 28308->28306 28371 687200c 28309->28371 28375 6872018 28309->28375 28314 6873bde 28313->28314 28315 6873bf2 28314->28315 28316 6871710 ResumeThread 28314->28316 28317 6871709 ResumeThread 28314->28317 28315->28183 28316->28315 28317->28315 28319 6873ab5 28318->28319 28379 6871cd0 28319->28379 28383 6871cc8 28319->28383 28387 68744eb 28322->28387 28392 68744f8 28322->28392 28323 687381e 28324 68737ed 28323->28324 28327 6871710 ResumeThread 28323->28327 28328 6871709 ResumeThread 28323->28328 28324->28183 28327->28324 28328->28324 28330 6871750 ResumeThread 28329->28330 28332 6871781 28330->28332 28332->28265 28334 6871710 ResumeThread 28333->28334 28336 6871781 28334->28336 28336->28265 28338 6874398 28337->28338 28347 68717c0 28338->28347 28351 68717b9 28338->28351 28339 68743c3 28339->28274 28343 68743ad 28342->28343 28345 68717c0 Wow64SetThreadContext 28343->28345 28346 68717b9 Wow64SetThreadContext 28343->28346 28344 68743c3 28344->28274 28345->28344 28346->28344 28348 6871805 Wow64SetThreadContext 28347->28348 28350 687184d 28348->28350 28350->28339 28352 68717c0 Wow64SetThreadContext 28351->28352 28354 687184d 28352->28354 28354->28339 28356 6871ecb ReadProcessMemory 28355->28356 28358 6871f0f 28356->28358 28358->28278 28360 6871e80 ReadProcessMemory 28359->28360 28362 6871f0f 28360->28362 28362->28278 28364 6871dd8 WriteProcessMemory 28363->28364 28366 6871e2f 28364->28366 28366->28283 28368 6871dd8 WriteProcessMemory 28367->28368 28370 6871e2f 28368->28370 28370->28283 28372 6872018 CreateProcessA 28371->28372 28374 6872263 28372->28374 28376 68720a1 CreateProcessA 28375->28376 28378 6872263 28376->28378 28380 6871d10 VirtualAllocEx 28379->28380 28382 6871d4d 28380->28382 28382->28319 28384 6871cd0 VirtualAllocEx 28383->28384 28386 6871d4d 28384->28386 28386->28319 28388 68744f8 28387->28388 28390 68717c0 Wow64SetThreadContext 28388->28390 28391 68717b9 Wow64SetThreadContext 28388->28391 28389 6874523 28389->28323 28390->28389 28391->28389 28393 687450d 28392->28393 28395 68717c0 Wow64SetThreadContext 28393->28395 28396 68717b9 Wow64SetThreadContext 28393->28396 28394 6874523 28394->28323 28395->28394 28396->28394 28000 6874540 28001 68746cb 28000->28001 28003 6874566 28000->28003 28003->28001 28004 6870668 28003->28004 28005 68747c0 PostMessageW 28004->28005 28006 687482c 28005->28006 28006->28003 28007 7cd1d4 28008 7cd1ec 28007->28008 28013 7cd246 28008->28013 28014 4a886e8 28008->28014 28018 4a868bc 28008->28018 28026 4a89448 28008->28026 28034 4a886d8 28008->28034 28015 4a8870e 28014->28015 28016 4a868bc 2 API calls 28015->28016 28017 4a8872f 28016->28017 28017->28013 28019 4a868c7 28018->28019 28020 4a894a9 28019->28020 28038 4a869e4 CallWindowProcW CallWindowProcW 28019->28038 28022 4a89513 28020->28022 28039 4a869f4 CallWindowProcW CallWindowProcW 28020->28039 28024 4a8952b 28022->28024 28040 4a869f4 CallWindowProcW CallWindowProcW 28022->28040 28028 4a89485 28026->28028 28029 4a894a9 28028->28029 28041 4a869e4 CallWindowProcW CallWindowProcW 28028->28041 28030 4a89513 28029->28030 28042 4a869f4 CallWindowProcW CallWindowProcW 28029->28042 28032 4a8952b 28030->28032 28043 4a869f4 CallWindowProcW CallWindowProcW 28030->28043 28035 4a8870e 28034->28035 28036 4a868bc 2 API calls 28035->28036 28037 4a8872f 28036->28037 28037->28013 28038->28020 28039->28022 28040->28024 28041->28029 28042->28030 28043->28032 28397 4a8aad0 28398 4a8abec 28397->28398 28399 4a8ab42 28397->28399 28401 4a868bc 2 API calls 28398->28401 28400 4a8ab9a CallWindowProcW 28399->28400 28402 4a8ab49 28399->28402 28400->28402 28401->28402

                                            Executed Functions

                                            Function 04A8DFB8 Relevance: 2.8, Strings: 1, Instructions: 1567COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 486 4a8dfb8-4a8dfe4 487 4a8dfeb-4a8e258 call 4a8dd8c call 4a8dd9c call 4a8ddac * 2 call 4a8ddbc call 4a8ddcc call 4a8dddc 486->487 488 4a8dfe6 486->488 527 4a8e279-4a8e28d 487->527 488->487 528 4a8e25a-4a8e267 527->528 529 4a8e28f-4a8e295 527->529 530 4a8e269 528->530 531 4a8e26e-4a8e276 528->531 532 4a8e371-4a8e385 529->532 530->531 531->527 533 4a8e29a-4a8e2b2 532->533 534 4a8e38b-4a8e39f 532->534 540 4a8e2bf-4a8e2c2 533->540 541 4a8e2b4-4a8e2b6 533->541 535 4a8e555-4a8e56c 534->535 537 4a8e56e 535->537 538 4a8e574-4a8e576 535->538 542 4a8e578 537->542 543 4a8e570-4a8e572 537->543 539 4a8e57d-4a8e58c 538->539 544 4a8e592-4a8e968 call 4a8ddec call 4a8ddfc call 4a8de0c call 4a846bc * 2 call 4a80990 call 4a8de1c call 4a8de2c call 4a8de3c call 4a8de4c call 4a80990 call 4a8de5c call 4a8de6c call 4a8de7c call 4a858d0 539->544 545 4a8e3a4-4a8e3c2 539->545 548 4a8e2c9-4a8e2cf 540->548 549 4a8e2c4 540->549 546 4a8e2b8 541->546 547 4a8e2bd 541->547 542->539 543->538 543->542 645 4a8e96a-4a8e976 544->645 646 4a8e992 544->646 552 4a8e3c9-4a8e3e3 545->552 553 4a8e3c4 545->553 546->547 547->548 550 4a8e2d1 548->550 551 4a8e2d6-4a8e2f0 548->551 549->548 550->551 557 4a8e2f2 551->557 558 4a8e2f7-4a8e311 551->558 554 4a8e3ea-4a8e3fd 552->554 555 4a8e3e5 552->555 553->552 559 4a8e3ff 554->559 560 4a8e404-4a8e417 554->560 555->554 557->558 562 4a8e318-4a8e32b 558->562 563 4a8e313 558->563 559->560 567 4a8e419 560->567 568 4a8e41e-4a8e431 560->568 564 4a8e32d 562->564 565 4a8e332-4a8e345 562->565 563->562 564->565 569 4a8e34c-4a8e35f 565->569 570 4a8e347 565->570 567->568 571 4a8e438-4a8e444 568->571 572 4a8e433 568->572 574 4a8e361 569->574 575 4a8e366-4a8e36e 569->575 570->569 576 4a8e453-4a8e457 571->576 577 4a8e446-4a8e44a 571->577 572->571 574->575 575->532 578 4a8e459 576->578 579 4a8e45e-4a8e464 576->579 580 4a8e44c 577->580 581 4a8e451 577->581 578->579 582 4a8e46b-4a8e47f 579->582 583 4a8e466 579->583 580->581 581->579 585 4a8e481 582->585 586 4a8e486-4a8e496 582->586 583->582 585->586 588 4a8e498 586->588 589 4a8e49d-4a8e4bc 586->589 588->589 591 4a8e4be 589->591 592 4a8e4c3-4a8e4d9 589->592 591->592 593 4a8e4e8-4a8e4ec 592->593 594 4a8e4db-4a8e4df 592->594 598 4a8e4ee 593->598 599 4a8e4f3-4a8e529 593->599 596 4a8e4e1 594->596 597 4a8e4e6 594->597 596->597 597->599 598->599 604 4a8e52b 599->604 605 4a8e530-4a8e554 599->605 604->605 605->535 648 4a8e978-4a8e97e 645->648 649 4a8e980-4a8e986 645->649 647 4a8e998-4a8eabb call 4a8de8c call 4a8de9c call 4a80990 646->647 664 4a8eabd-4a8eac9 647->664 665 4a8ead7 647->665 650 4a8e990 648->650 649->650 650->647 666 4a8eacb-4a8ead1 664->666 667 4a8ead3 664->667 668 4a8eadd-4a8eb82 665->668 669 4a8ead5 666->669 667->669 675 4a8eb89-4a8eba9 668->675 676 4a8eb84 668->676 669->668 678 4a8ebab 675->678 679 4a8ebb0-4a8ec9b 675->679 676->675 678->679 688 4a8eca2-4a8f1fb call 4a8de9c call 4a80990 call 4a8deac call 4a8de9c call 4a80990 call 4a8deac call 4a8de9c call 4a80990 call 4a8de9c call 4a80990 call 4a8de2c call 4a8de3c call 4a80990 call 4a8de5c call 4a8de6c call 4a8debc call 4a8decc call 4a8de2c 679->688 746 4a8f1fd 688->746 747 4a8f202-4a8f288 688->747 746->747 751 4a8f28a 747->751 752 4a8f28f-4a8f3b2 call 4a8dedc call 4a8de3c call 4a80990 call 4a8de5c call 4a8de6c call 4a8deec 747->752 751->752 767 4a8f3b9-4a8f8a8 call 4a8defc call 4a8de2c call 4a8de3c call 4a80990 call 4a8de5c call 4a8de6c call 4a8df0c call 4a8de2c call 4a8de3c call 4a80990 call 4a8de5c call 4a8de6c call 4a8df1c call 4a8df2c call 4a80990 call 4a8df3c call 4a8df4c * 5 752->767 768 4a8f3b4 752->768 828 4a8f8aa-4a8f8b6 767->828 829 4a8f8d2 767->829 768->767 831 4a8f8b8-4a8f8be 828->831 832 4a8f8c0-4a8f8c6 828->832 830 4a8f8d8-4a8f9d0 call 4a8df5c call 4a8df6c call 4a8de3c call 4a84874 call 4a8df7c call 4a84874 call 4a8df7c 829->830 833 4a8f8d0 831->833 832->833 833->830
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq
                                            • API String ID: 0-731066626
                                            • Opcode ID: 40ee2ee46e0237d6f16c4c8ccf450c027e8e1ad99c499ac848d5b028cf6e0bbd
                                            • Instruction ID: dd7fc0f96fdaca574dc28d91e07bdfa66123e62fe63ce6f4db7197411625dbbb
                                            • Opcode Fuzzy Hash: 40ee2ee46e0237d6f16c4c8ccf450c027e8e1ad99c499ac848d5b028cf6e0bbd
                                            • Instruction Fuzzy Hash: D7F2CC74A11619CFDB54EF68C894A99B7B1FF89300F1186E9E409AB361DB35AEC1CF40
                                            Function 04A8DFA8 Relevance: 2.6, Strings: 1, Instructions: 1362COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq
                                            • API String ID: 0-731066626
                                            • Opcode ID: 2c195e45a8ffba3cd819da5098441515e01533c5a7770f574661922f89720791
                                            • Instruction ID: 333269a62b85ca2671527e9262bd24f2920f64162f579fbd2ef17581df926ef8
                                            • Opcode Fuzzy Hash: 2c195e45a8ffba3cd819da5098441515e01533c5a7770f574661922f89720791
                                            • Instruction Fuzzy Hash: C5E2B634A11619CFDB55EF64C898A99B7B1FF89300F5182E9E409AB361DB34AEC5CF40
                                            Function 04A81AF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 295 4a81af0-4a81aff 296 4a81b2b-4a81b2f 295->296 297 4a81b01-4a81b0e call 4a804f4 295->297 298 4a81b31-4a81b3b 296->298 299 4a81b43-4a81b84 296->299 302 4a81b10 297->302 303 4a81b24 297->303 298->299 306 4a81b91-4a81b9f 299->306 307 4a81b86-4a81b8e 299->307 350 4a81b16 call 4a81d88 302->350 351 4a81b16 call 4a81d78 302->351 303->296 309 4a81ba1-4a81ba6 306->309 310 4a81bc3-4a81bc5 306->310 307->306 308 4a81b1c-4a81b1e 308->303 314 4a81c60-4a81d20 308->314 311 4a81ba8-4a81baf call 4a814f4 309->311 312 4a81bb1 309->312 313 4a81bc8-4a81bcf 310->313 315 4a81bb3-4a81bc1 311->315 312->315 317 4a81bdc-4a81be3 313->317 318 4a81bd1-4a81bd9 313->318 345 4a81d28-4a81d53 GetModuleHandleW 314->345 346 4a81d22-4a81d25 314->346 315->313 320 4a81bf0-4a81bf9 call 4a81504 317->320 321 4a81be5-4a81bed 317->321 318->317 326 4a81bfb-4a81c03 320->326 327 4a81c06-4a81c0b 320->327 321->320 326->327 329 4a81c29-4a81c36 327->329 330 4a81c0d-4a81c14 327->330 336 4a81c38-4a81c56 329->336 337 4a81c59-4a81c5f 329->337 330->329 331 4a81c16-4a81c26 call 4a81514 call 4a81524 330->331 331->329 336->337 347 4a81d5c-4a81d70 345->347 348 4a81d55-4a81d5b 345->348 346->345 348->347 350->308 351->308
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04A81D46
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: lO|$lO|
                                            • API String ID: 4139908857-1402546280
                                            • Opcode ID: 4ee1348128aaaebda0cb166eed3db126e98cb5026a038a1f83f266bc5938cb28
                                            • Instruction ID: ce7cd7224b09b4029589e6711562d5d9b0d2854de784a3fd677ad139514a1818
                                            • Opcode Fuzzy Hash: 4ee1348128aaaebda0cb166eed3db126e98cb5026a038a1f83f266bc5938cb28
                                            • Instruction Fuzzy Hash: B17101B0A00B058FD764EF29D14479ABBF5FF88304F04892DD48A97A50E779F946CB90
                                            Function 0687200C Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1315 687200c-68720ad 1318 68720e6-6872106 1315->1318 1319 68720af-68720b9 1315->1319 1326 687213f-687216e 1318->1326 1327 6872108-6872112 1318->1327 1319->1318 1320 68720bb-68720bd 1319->1320 1321 68720e0-68720e3 1320->1321 1322 68720bf-68720c9 1320->1322 1321->1318 1324 68720cd-68720dc 1322->1324 1325 68720cb 1322->1325 1324->1324 1329 68720de 1324->1329 1325->1324 1335 68721a7-6872261 CreateProcessA 1326->1335 1336 6872170-687217a 1326->1336 1327->1326 1328 6872114-6872116 1327->1328 1330 6872139-687213c 1328->1330 1331 6872118-6872122 1328->1331 1329->1321 1330->1326 1333 6872126-6872135 1331->1333 1334 6872124 1331->1334 1333->1333 1337 6872137 1333->1337 1334->1333 1347 6872263-6872269 1335->1347 1348 687226a-68722f0 1335->1348 1336->1335 1338 687217c-687217e 1336->1338 1337->1330 1340 68721a1-68721a4 1338->1340 1341 6872180-687218a 1338->1341 1340->1335 1342 687218e-687219d 1341->1342 1343 687218c 1341->1343 1342->1342 1345 687219f 1342->1345 1343->1342 1345->1340 1347->1348 1358 68722f2-68722f6 1348->1358 1359 6872300-6872304 1348->1359 1358->1359 1360 68722f8 1358->1360 1361 6872306-687230a 1359->1361 1362 6872314-6872318 1359->1362 1360->1359 1361->1362 1363 687230c 1361->1363 1364 687231a-687231e 1362->1364 1365 6872328-687232c 1362->1365 1363->1362 1364->1365 1368 6872320 1364->1368 1366 687233e-6872345 1365->1366 1367 687232e-6872334 1365->1367 1369 6872347-6872356 1366->1369 1370 687235c 1366->1370 1367->1366 1368->1365 1369->1370 1372 687235d 1370->1372 1372->1372
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0687224E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 94e3475583279314982794d8cc09b7191ed57dd4b7a1172f13ee11cfc25002fb
                                            • Instruction ID: 85f21156a9ae3c70f3c19e982de6043c045eb40c34672fecab2c2b7c66c17eb4
                                            • Opcode Fuzzy Hash: 94e3475583279314982794d8cc09b7191ed57dd4b7a1172f13ee11cfc25002fb
                                            • Instruction Fuzzy Hash: 52A15971D002198FEB60CF68C851BEDBBF2BF48310F1485A9E909E7250DB759A85CFA1
                                            Function 06872018 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1373 6872018-68720ad 1375 68720e6-6872106 1373->1375 1376 68720af-68720b9 1373->1376 1383 687213f-687216e 1375->1383 1384 6872108-6872112 1375->1384 1376->1375 1377 68720bb-68720bd 1376->1377 1378 68720e0-68720e3 1377->1378 1379 68720bf-68720c9 1377->1379 1378->1375 1381 68720cd-68720dc 1379->1381 1382 68720cb 1379->1382 1381->1381 1386 68720de 1381->1386 1382->1381 1392 68721a7-6872261 CreateProcessA 1383->1392 1393 6872170-687217a 1383->1393 1384->1383 1385 6872114-6872116 1384->1385 1387 6872139-687213c 1385->1387 1388 6872118-6872122 1385->1388 1386->1378 1387->1383 1390 6872126-6872135 1388->1390 1391 6872124 1388->1391 1390->1390 1394 6872137 1390->1394 1391->1390 1404 6872263-6872269 1392->1404 1405 687226a-68722f0 1392->1405 1393->1392 1395 687217c-687217e 1393->1395 1394->1387 1397 68721a1-68721a4 1395->1397 1398 6872180-687218a 1395->1398 1397->1392 1399 687218e-687219d 1398->1399 1400 687218c 1398->1400 1399->1399 1402 687219f 1399->1402 1400->1399 1402->1397 1404->1405 1415 68722f2-68722f6 1405->1415 1416 6872300-6872304 1405->1416 1415->1416 1417 68722f8 1415->1417 1418 6872306-687230a 1416->1418 1419 6872314-6872318 1416->1419 1417->1416 1418->1419 1420 687230c 1418->1420 1421 687231a-687231e 1419->1421 1422 6872328-687232c 1419->1422 1420->1419 1421->1422 1425 6872320 1421->1425 1423 687233e-6872345 1422->1423 1424 687232e-6872334 1422->1424 1426 6872347-6872356 1423->1426 1427 687235c 1423->1427 1424->1423 1425->1422 1426->1427 1429 687235d 1427->1429 1429->1429
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0687224E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 7a3c41e311fcbef6d636ce282ca9060e3b20a3482de8c66c3542cf2c746fae01
                                            • Instruction ID: 02dc3b2fc9768ebdc13518c3f5c843cf4648fcef9cb5ee50194ca9558018ebdd
                                            • Opcode Fuzzy Hash: 7a3c41e311fcbef6d636ce282ca9060e3b20a3482de8c66c3542cf2c746fae01
                                            • Instruction Fuzzy Hash: F6915971D002198FEB60CF68C851BEDBBF2BB48310F1485A9E909E7250DB759A85CFA1
                                            Function 04A86848 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1430 4a86848-4a88596 1437 4a88598-4a8859e 1430->1437 1438 4a885a1-4a885a8 1430->1438 1437->1438 1439 4a885aa-4a885b0 1438->1439 1440 4a885b3-4a885eb 1438->1440 1439->1440 1441 4a885f3-4a88652 CreateWindowExW 1440->1441 1442 4a8865b-4a88693 1441->1442 1443 4a88654-4a8865a 1441->1443 1447 4a886a0 1442->1447 1448 4a88695-4a88698 1442->1448 1443->1442 1449 4a886a1 1447->1449 1448->1447 1449->1449
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A88642
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 8093c7c744bd6709fa562e6baa100aad2d29a4bc61a3a0d36e8a1013f264f611
                                            • Instruction ID: 3fbfde3f1efe902f10b55d9d75ec597f3fe9e478315bb170af06b8ec48a086a5
                                            • Opcode Fuzzy Hash: 8093c7c744bd6709fa562e6baa100aad2d29a4bc61a3a0d36e8a1013f264f611
                                            • Instruction Fuzzy Hash: 2C5133B1C003599FDB15DFA9C890ADEBFB1EF89300F64816EE418AB211DB74A845CF94
                                            Function 04A86890 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1450 4a86890-4a88596 1452 4a88598-4a8859e 1450->1452 1453 4a885a1-4a885a8 1450->1453 1452->1453 1454 4a885aa-4a885b0 1453->1454 1455 4a885b3-4a88652 CreateWindowExW 1453->1455 1454->1455 1457 4a8865b-4a88693 1455->1457 1458 4a88654-4a8865a 1455->1458 1462 4a886a0 1457->1462 1463 4a88695-4a88698 1457->1463 1458->1457 1464 4a886a1 1462->1464 1463->1462 1464->1464
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A88642
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 07c1249c4ad494f4ddff841c29fa0a06874943bd4407be968f2785333a387368
                                            • Instruction ID: ba80af99ce617e3610a4c6eab8b0d8440a653b16844ac2d6e3a02a813ce0b425
                                            • Opcode Fuzzy Hash: 07c1249c4ad494f4ddff841c29fa0a06874943bd4407be968f2785333a387368
                                            • Instruction Fuzzy Hash: D151CEB1D003099FDB14DF99C984ADEBBB5FF88310F64852EE819AB210DB75A945CF90
                                            Function 04A88524 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1465 4a88524-4a88596 1466 4a88598-4a8859e 1465->1466 1467 4a885a1-4a885a8 1465->1467 1466->1467 1468 4a885aa-4a885b0 1467->1468 1469 4a885b3-4a885eb 1467->1469 1468->1469 1470 4a885f3-4a88652 CreateWindowExW 1469->1470 1471 4a8865b-4a88693 1470->1471 1472 4a88654-4a8865a 1470->1472 1476 4a886a0 1471->1476 1477 4a88695-4a88698 1471->1477 1472->1471 1478 4a886a1 1476->1478 1477->1476 1478->1478
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A88642
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: b0696c9f5010e12af890c14e69794caa9cadeea4c23733ad5865d057cde05bab
                                            • Instruction ID: 86ea6d081de4bf6c1a3682904e2c36a4ba7302496f04e89992251386c37d9c72
                                            • Opcode Fuzzy Hash: b0696c9f5010e12af890c14e69794caa9cadeea4c23733ad5865d057cde05bab
                                            • Instruction Fuzzy Hash: 1051BFB1D003099FDB14DF99C984ADEBBB5FF88310F64852EE819AB210DB75A945CF90
                                            Function 00B9590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1479 b9590c-b959d9 CreateActCtxA 1481 b959db-b959e1 1479->1481 1482 b959e2-b95a3c 1479->1482 1481->1482 1489 b95a4b-b95a4f 1482->1489 1490 b95a3e-b95a41 1482->1490 1491 b95a51-b95a5d 1489->1491 1492 b95a60 1489->1492 1490->1489 1491->1492 1494 b95a61 1492->1494 1494->1494
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2068660054.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b90000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 2c7f15816733597e2be19c830c3ee0dc75d62c4a178d464a87500a091cea55d3
                                            • Instruction ID: d4e0b3a6cafde98b7827861e33879ac5cf85dd78a8442321a2a74528e33cfb87
                                            • Opcode Fuzzy Hash: 2c7f15816733597e2be19c830c3ee0dc75d62c4a178d464a87500a091cea55d3
                                            • Instruction Fuzzy Hash: 7541CCB1C00719CBDB25CFA9C884A9EBBF5FF49304F20816AD409AB255DB75694ACF50
                                            Function 04A869E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1495 4a869e4-4a8ab3c 1498 4a8abec-4a8ac0c call 4a868bc 1495->1498 1499 4a8ab42-4a8ab47 1495->1499 1506 4a8ac0f-4a8ac1c 1498->1506 1500 4a8ab49-4a8ab80 1499->1500 1501 4a8ab9a-4a8abd2 CallWindowProcW 1499->1501 1508 4a8ab89-4a8ab98 1500->1508 1509 4a8ab82-4a8ab88 1500->1509 1503 4a8abdb-4a8abea 1501->1503 1504 4a8abd4-4a8abda 1501->1504 1503->1506 1504->1503 1508->1506 1509->1508
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A8ABC1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: cb91f787485725ec11fdabb48cef120427f690d778ca9676bf8682a0174b5c38
                                            • Instruction ID: fc93ff73985bd5294b46deba1dcbd43e2aec1d507d29f225ce7ab3d8e89f2aef
                                            • Opcode Fuzzy Hash: cb91f787485725ec11fdabb48cef120427f690d778ca9676bf8682a0174b5c38
                                            • Instruction Fuzzy Hash: 364108B5A00305DFDB14DF99C888AAAFBF5FB98314F24C45DD519AB321D375A841CBA0
                                            Function 00B9449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2068660054.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b90000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 53a58b2fbb99b6e0550d515c9d3611b0c09bb2b16597f5ed0379a66384a9c1f3
                                            • Instruction ID: 5f69b5171d5d5461e707863e10c6db0dfbcca530cc29e001e5526938cb4c360e
                                            • Opcode Fuzzy Hash: 53a58b2fbb99b6e0550d515c9d3611b0c09bb2b16597f5ed0379a66384a9c1f3
                                            • Instruction Fuzzy Hash: 6E41DFB1C00719CBDF24CFA9C884A9DBBF5FF48304F20816AD409AB251DB756949CF90
                                            Function 06871D88 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06871E20
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 88b18deaddf273e45f361bae09fa07bbc10ef584e91addce3ac8e361822e67c7
                                            • Instruction ID: 59110f0e6eaf87a82424bdc364fec133ee733f26e8b15b6c2e0f7d6e7d6598ef
                                            • Opcode Fuzzy Hash: 88b18deaddf273e45f361bae09fa07bbc10ef584e91addce3ac8e361822e67c7
                                            • Instruction Fuzzy Hash: 712135729002198FDB20CFA9C884BDEBBF4FF48310F14842AE959A7240C7789944DB60
                                            Function 06871D90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06871E20
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ff7286d40df6ae8fdfa3a72b722ce4d07e521063582bd3dec52e5c8cc17b736b
                                            • Instruction ID: 8d3030afa26ace1f40d97ce0185ea735126aa70bcfede9e8b4f319dfaf85195b
                                            • Opcode Fuzzy Hash: ff7286d40df6ae8fdfa3a72b722ce4d07e521063582bd3dec52e5c8cc17b736b
                                            • Instruction Fuzzy Hash: 97212772D003199FCB10CFA9C885BDEBBF5FF48310F14842AE959A7240C7789944DBA4
                                            Function 06871E7B Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06871F00
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 69837b0e6934f35822677d17a13bedd2e9b29cc392020f9b818067ce81d6a049
                                            • Instruction ID: f178fb7c2a3a78f711b61a6819a46b98d72f43a8898aef298e1a191f86514bb6
                                            • Opcode Fuzzy Hash: 69837b0e6934f35822677d17a13bedd2e9b29cc392020f9b818067ce81d6a049
                                            • Instruction Fuzzy Hash: 4D2107718002599FCB10DFA9C885AEEBBF5FF48320F54842AE959A7241C7759944DBA0
                                            Function 04A83FB8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04A83F86,?,?,?,?,?), ref: 04A84047
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 87a75c0e794e6b16a3bf334e41619f50276345e7844f6a959fb4e8753ca70ab0
                                            • Instruction ID: 82ef55514e4364c93a62ce66aef9e52da58f3c124e3e2241d63ec15939e00b15
                                            • Opcode Fuzzy Hash: 87a75c0e794e6b16a3bf334e41619f50276345e7844f6a959fb4e8753ca70ab0
                                            • Instruction Fuzzy Hash: 6621E4B69002099FDB10CFAAD984ADEFFF4FB48314F14841AE918A3350D379A945DFA1
                                            Function 068717B9 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0687183E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 69389d0fcadfbbc8f790d55dd7be10af6c778932a7dfef772978621cba9b0922
                                            • Instruction ID: d63ffd909c121d2aa404a634c1200a8cdde4b71df76de147103e7cf5791d32b2
                                            • Opcode Fuzzy Hash: 69389d0fcadfbbc8f790d55dd7be10af6c778932a7dfef772978621cba9b0922
                                            • Instruction Fuzzy Hash: 1C212872D002198FDB10DFAAC4857AEBBF4EF88324F14842AD959A7241DB789945CFA4
                                            Function 04A83680 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04A83F86,?,?,?,?,?), ref: 04A84047
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 4c8a89bce4b9963020053c2951338ce047d3ad654389aeaee7a0275242efbf7c
                                            • Instruction ID: acbbeeae5b8d7f7b550007b768f88fb08f30e526abbd5313a7a00287ff5073ac
                                            • Opcode Fuzzy Hash: 4c8a89bce4b9963020053c2951338ce047d3ad654389aeaee7a0275242efbf7c
                                            • Instruction Fuzzy Hash: D42105B59002099FDB10CF9AD984ADEBBF4EB48314F14801AE914A3351D379A944CFA5
                                            Function 06871E80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06871F00
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: e590bdbff06225cebba6cabfad3990c3a5cdf1301f5c1ab8bb65765edd28f2a8
                                            • Instruction ID: 1b5a4cab9692acb74c5ae2b4a0025a4895ffdb347d834c626e844f44f9336bce
                                            • Opcode Fuzzy Hash: e590bdbff06225cebba6cabfad3990c3a5cdf1301f5c1ab8bb65765edd28f2a8
                                            • Instruction Fuzzy Hash: 222139B1C003599FCB10DFAAC885AEEFBF5FF48320F54842AE959A7240C7759944DBA0
                                            Function 068717C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0687183E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 383c287a4d2a7f944c2f97afe24f402a15663ff727621de503addfbbbce6e41a
                                            • Instruction ID: ca4e1bb35eac4153b8374aa286825b6405b6ba753ec6cb687d2cca86e19fc893
                                            • Opcode Fuzzy Hash: 383c287a4d2a7f944c2f97afe24f402a15663ff727621de503addfbbbce6e41a
                                            • Instruction Fuzzy Hash: 46211871D003098FDB50DFAAC8857EEBBF4EF88324F14842AD559A7241DB789945CFA4
                                            Function 06871CC8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06871D3E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 0739917838a67fbd16ed0019298e3097dc93e19fdc7f7b7b0724227b9c161b6a
                                            • Instruction ID: 30dfe933e6d327d8c9675fa32f32c0ffc1511a94089fa005b3d8749b999ca1d3
                                            • Opcode Fuzzy Hash: 0739917838a67fbd16ed0019298e3097dc93e19fdc7f7b7b0724227b9c161b6a
                                            • Instruction Fuzzy Hash: A6116A729002499FDB20DFA9C848BDFBFF5EF88324F248419E915A7250CB769944DFA4
                                            Function 04A81550 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04A81DC1,00000800,00000000,00000000), ref: 04A81FD2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 14f07631e0d4a69dc3e25df712335b32ffcc198067f5c63ccd3152883f0e3846
                                            • Instruction ID: 1de283130628d8e355cd8bfda6dff7bb95aeb0be7a533b06bfac078a73239106
                                            • Opcode Fuzzy Hash: 14f07631e0d4a69dc3e25df712335b32ffcc198067f5c63ccd3152883f0e3846
                                            • Instruction Fuzzy Hash: 121126B69043099FDB10DF9AC444ADEFBF4EB88310F10842EE919A7341C375A945CFA5
                                            Function 06871CD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06871D3E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: e564aa1ceedbc5652b47e3b4b3a7b0f04b4d106fb8edc89f257efccf3f995ff9
                                            • Instruction ID: 82e22ad8759f80c13437fceb3549d7e4d0e8e04653e9b66ee81c1dcb4c830be4
                                            • Opcode Fuzzy Hash: e564aa1ceedbc5652b47e3b4b3a7b0f04b4d106fb8edc89f257efccf3f995ff9
                                            • Instruction Fuzzy Hash: 311149729002499FDB10DFAAC844ADFBFF5EF88320F248419EA19A7250CB759944DFA4
                                            Function 04A81F62 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04A81DC1,00000800,00000000,00000000), ref: 04A81FD2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: beab067cf1a8e9b6122131f21d7e87edc05132023da8bd4cdd50e5dfe0e51a20
                                            • Instruction ID: a719e4fbf21685b03495e39698dfe00b7de78ac125bcf1c6731710a4c6272ff1
                                            • Opcode Fuzzy Hash: beab067cf1a8e9b6122131f21d7e87edc05132023da8bd4cdd50e5dfe0e51a20
                                            • Instruction Fuzzy Hash: BA1123B6900209CFDB10DF9AC584ADEFBF4EB88310F14842EE519A7740C375A946CFA1
                                            Function 06871709 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: e4bab433d5d41fa66ad12c0b29463d518fd61187d504c3e4db268b685b569ac9
                                            • Instruction ID: a73d150e4de635e412cdd80972e42f5632229ce9f93de7d484c36cbe55891acb
                                            • Opcode Fuzzy Hash: e4bab433d5d41fa66ad12c0b29463d518fd61187d504c3e4db268b685b569ac9
                                            • Instruction Fuzzy Hash: A8112B71D003598FDB20DFAAC8457DEFBF4EF89324F24841AD55AA7240CA759944CFA4
                                            Function 06871710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 32cae2e8199c100f38d97b6c16844e3d9410916b58d943848d3c49914546503c
                                            • Instruction ID: 901e80255d4cc10846c153fec026d39f2f1e48ab3642a4dbe042b70fa178fcda
                                            • Opcode Fuzzy Hash: 32cae2e8199c100f38d97b6c16844e3d9410916b58d943848d3c49914546503c
                                            • Instruction Fuzzy Hash: DC112871D002498BDB20DFAAC88579EFBF4EB88324F248419D519A7240CA75A944CFA4
                                            Function 068747B8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0687481D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: ab5b58ef464adc887aa8b8829995087636f7301cdb313a4bbedce77084f52b0f
                                            • Instruction ID: 6d54d4259ee7232fb8c3ce9ab9c4ee6c9d3e03881552b3849234204bbe6be6f2
                                            • Opcode Fuzzy Hash: ab5b58ef464adc887aa8b8829995087636f7301cdb313a4bbedce77084f52b0f
                                            • Instruction Fuzzy Hash: E51106B58003499FDB20DF99D844BDEFFF8EB59320F20841AE659A7241C375A984CFA1
                                            Function 06870668 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0687481D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 6056d2dce610311c1128961ef7e89ff811692b2f1abd574d03f5caf0f9c37e11
                                            • Instruction ID: 9a92aa532efa494140e7495402a42d6adb829f4e0cbcc3cc8c42c058c2935592
                                            • Opcode Fuzzy Hash: 6056d2dce610311c1128961ef7e89ff811692b2f1abd574d03f5caf0f9c37e11
                                            • Instruction Fuzzy Hash: F111F5B5800349DFDB50DF99D845BDEBBF8EB48314F108419E619A7200C375A944CFA1
                                            Function 04A81CE0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04A81D46
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: ef6224bffd6804ebbd9c8bfac7c669d3bf918c8ed3aa6b5385ade77f179fe8f3
                                            • Instruction ID: d6d89511f15975fcfbd6eb105c84925036d50b6728ff48add1358f0216ada6cf
                                            • Opcode Fuzzy Hash: ef6224bffd6804ebbd9c8bfac7c669d3bf918c8ed3aa6b5385ade77f179fe8f3
                                            • Instruction Fuzzy Hash: CF11D2B6C002498FDB10DF9AD444BDEFBF4EF89314F14841AD529A7210C379A545CFA1
                                            Function 007BD53C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057189384.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7bd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de40b42e95b4a8c92701004abf515b31807447bb4d66f9917ecd3514f085826f
                                            • Instruction ID: b53cd3e0e76b5a87d8d6a6387ad7835b37a9881731c90485dda010615bb8191d
                                            • Opcode Fuzzy Hash: de40b42e95b4a8c92701004abf515b31807447bb4d66f9917ecd3514f085826f
                                            • Instruction Fuzzy Hash: 2D2122B2504204EFCB25DF14D9C0B66BF65FF98328F248569E8094B246D33ADC66CAA1
                                            Function 007BD450 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057189384.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7bd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73916d9db0b7bc18726cab5d5fc09320e779fd219db4ae7e43f2837ba29f2c48
                                            • Instruction ID: b25e3ef7c26b3ddca902491b707f0b354eb77681037fee745d997263a09138e5
                                            • Opcode Fuzzy Hash: 73916d9db0b7bc18726cab5d5fc09320e779fd219db4ae7e43f2837ba29f2c48
                                            • Instruction Fuzzy Hash: EE2133B1504240DFCB25DF14D9C0B67BF65FB98324F20C569EC094B246D33AEC16CAA1
                                            Function 007CD0EC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057681329.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76a58229a7d3a42e49ea353190c6e016fa5bde9b15917189205b1eb765ad4a64
                                            • Instruction ID: 13a4b8ee96695d60ea7eb19fe3ae845d48c23cc2b002a9c9e148f026f93f01a2
                                            • Opcode Fuzzy Hash: 76a58229a7d3a42e49ea353190c6e016fa5bde9b15917189205b1eb765ad4a64
                                            • Instruction Fuzzy Hash: BC2104B5504208EFDB25DF14D9C0F26BBA5FB84324F28C97DD8094B296C33ADC06CAA1
                                            Function 007CD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057681329.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f5a33cc1328daa7aaadfce758babccd06950d7be5056366b1c0fcd6086c18b5
                                            • Instruction ID: 06eef282adca5382f1994cf5d1828c29073e680d4051ecd5b4ff542eada5ef93
                                            • Opcode Fuzzy Hash: 9f5a33cc1328daa7aaadfce758babccd06950d7be5056366b1c0fcd6086c18b5
                                            • Instruction Fuzzy Hash: B121F2B1504204EFDB25DF54D9C0F26BBA5FB88324F24C97DE8094B296C33ADC06CA61
                                            Function 007BD537 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057189384.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7bd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction ID: dfcbff1a4108e06dd25a1aa89c4c0d7abcc10ca17d1b5b1538e6be089bf9c5a6
                                            • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction Fuzzy Hash: D111E676504244CFCB26CF10D5C4B56BF72FF98324F24C5A9D8094B656C33AD86ACBA1
                                            Function 007BD44B Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057189384.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7bd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction ID: 9657e2c7078e35510091a9a0c5b3d1ae73e9b4ce2dd1c61c694952a5b6822beb
                                            • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction Fuzzy Hash: C011B176504280CFDB26CF14D5C4B56BF71FF94324F24C5A9D8094B256D33AD86ACBA1
                                            Function 007CD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057681329.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction ID: 79f9cf950de3bcf2471bbd6da44b9777dcfed271f7d0c7118136b0a9436c25f4
                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction Fuzzy Hash: DF119D76504280DFDB16CF14D9C4B15FBB1FB84324F24C6AED8494B696C33AD84ACB61
                                            Function 007CD0E7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2057681329.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction ID: def55ae0b41b6d6cca340f867fa9dddf14e8380e88e2d54fcd5307bf936a2aab
                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction Fuzzy Hash: 0E119D75504284DFDB16CF14D9C4B15BFB2FB84314F28C6ADD8494B656C33AD84ACBA2

                                            Non-executed Functions

                                            Function 04A86C80 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13be654af8388c7e57a6536800567612a7fad9ed05f4a4dc1d91b1274a34549c
                                            • Instruction ID: 5dd7e8a30dacab2cfb8b32c4e1e78cbfdbfda8e9b50f0b943549a11e75db39f7
                                            • Opcode Fuzzy Hash: 13be654af8388c7e57a6536800567612a7fad9ed05f4a4dc1d91b1274a34549c
                                            • Instruction Fuzzy Hash: 2B1295B1E09745AAD310CF65E94C1893FB1FF41338B524229D2612E6E9DBBC196ACFC4
                                            Function 06870EE8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5acba7b506b364dff0bbe79578e3875247910574a4ecff987dfcb126b9d526ab
                                            • Instruction ID: df1659e25b4c94941b5a60547a01ae0f3b443a752af01e69cf60f6d453baa0f9
                                            • Opcode Fuzzy Hash: 5acba7b506b364dff0bbe79578e3875247910574a4ecff987dfcb126b9d526ab
                                            • Instruction Fuzzy Hash: 47E10774E141198FCB54DFA8C584AAEFBF2FF89304F288169D454AB35AD734A941CFA0
                                            Function 06871898 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2584c3bcd726dbf02bee31a444afd590eebcefdaa9edf3422202c93843d4989a
                                            • Instruction ID: 7863c6d418fd4cdf51bae0c54580640baad17441430d902b90b055a5bb621552
                                            • Opcode Fuzzy Hash: 2584c3bcd726dbf02bee31a444afd590eebcefdaa9edf3422202c93843d4989a
                                            • Instruction Fuzzy Hash: E5E11874E141198FCB54DFA9C584AAEFBF2FF89304F288269D454AB356D730A941CFA0
                                            Function 04A848C4 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15ab5537d3fd3b73b7c16834db7611258b7c798d7c24ae46c9aa7d7f1aec383d
                                            • Instruction ID: d919f97f41ff37a2d9aca6d3e185db7bb4b94fd5889abb5fddb02accd7074ad0
                                            • Opcode Fuzzy Hash: 15ab5537d3fd3b73b7c16834db7611258b7c798d7c24ae46c9aa7d7f1aec383d
                                            • Instruction Fuzzy Hash: EFA18132E002169FDF15EFB4C9405EEB7B2FF89304B15816EE905AB265EB35E915CB80
                                            Function 04A86C71 Relevance: .2, Instructions: 236COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071673058.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4a80000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35f2666899d5fe7a33e053e37a33784e86e2b9fa1b5f0eae160538bc93e8fcef
                                            • Instruction ID: fe15fd993616195d49e815636ee58256974b1ba3402d2f0ab06c7627a96919b5
                                            • Opcode Fuzzy Hash: 35f2666899d5fe7a33e053e37a33784e86e2b9fa1b5f0eae160538bc93e8fcef
                                            • Instruction Fuzzy Hash: 1EC128B0E09705AAD710DF65E9481893FB1FF81334F524229D2616B2E9DBB8196ACF84
                                            Function 06871889 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94b0c17f9340208aa8960da77d6ba75befb65d7d9b3de4e1a935ff1c16f537c7
                                            • Instruction ID: fb6aac50a4b08625fabec8b39d856721a9732e986089babb8f1005cad2baf907
                                            • Opcode Fuzzy Hash: 94b0c17f9340208aa8960da77d6ba75befb65d7d9b3de4e1a935ff1c16f537c7
                                            • Instruction Fuzzy Hash: AB511A70E142198FDB54CFA9C584AAEFBF2AF89304F24C16AD458AB315D7309941CFA1
                                            Function 06873956 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2074306407.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6870000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32235949c8d857a4d9608ad8d04922e14a6bec79d76dbe9bd0b720789c64f0f4
                                            • Instruction ID: 4bc2428ae3d402ba6943c1bedba4dc934281604738d8de84cb27ecee2beffe98
                                            • Opcode Fuzzy Hash: 32235949c8d857a4d9608ad8d04922e14a6bec79d76dbe9bd0b720789c64f0f4
                                            • Instruction Fuzzy Hash: 4EE04F34908108DFD740DF40E4450FCB7BDE74A319F003061D50DE3211D7309994CB54

                                            Execution Graph

                                            Execution Coverage:11.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:162
                                            Total number of Limit Nodes:22
                                            execution_graph 41027 68c2878 41028 68c28be GetCurrentProcess 41027->41028 41030 68c2909 41028->41030 41031 68c2910 GetCurrentThread 41028->41031 41030->41031 41032 68c294d GetCurrentProcess 41031->41032 41033 68c2946 41031->41033 41034 68c2983 41032->41034 41033->41032 41035 68c29ab GetCurrentThreadId 41034->41035 41036 68c29dc 41035->41036 40872 ee0848 40873 ee084e 40872->40873 40874 ee091b 40873->40874 40878 68c1b60 40873->40878 40882 68c1b70 40873->40882 40886 ee1353 40873->40886 40879 68c1b7f 40878->40879 40890 68c175c 40879->40890 40883 68c1b7f 40882->40883 40884 68c175c 2 API calls 40883->40884 40885 68c1ba0 40884->40885 40885->40873 40888 ee1356 40886->40888 40887 ee1440 40887->40873 40888->40887 40947 ee7e71 40888->40947 40891 68c1767 40890->40891 40894 68c271c 40891->40894 40893 68c3126 40893->40893 40895 68c2727 40894->40895 40896 68c384c 40895->40896 40898 68c54e0 40895->40898 40896->40893 40899 68c5501 40898->40899 40900 68c5525 40899->40900 40902 68c5690 40899->40902 40900->40896 40904 68c569d 40902->40904 40903 68c56d6 40903->40900 40904->40903 40906 68c416c 40904->40906 40907 68c4177 40906->40907 40909 68c5748 40907->40909 40910 68c41a0 40907->40910 40909->40909 40911 68c41ab 40910->40911 40917 68c41b0 40911->40917 40913 68c57b7 40921 68cac40 40913->40921 40927 68cac58 40913->40927 40914 68c57f1 40914->40909 40920 68c41bb 40917->40920 40918 68c6bb8 40918->40913 40919 68c54e0 2 API calls 40919->40918 40920->40918 40920->40919 40923 68cac89 40921->40923 40924 68cacd5 40921->40924 40922 68cac95 40922->40914 40923->40922 40933 68caec0 40923->40933 40936 68caed0 40923->40936 40924->40914 40929 68cac89 40927->40929 40930 68cacd5 40927->40930 40928 68cac95 40928->40914 40929->40928 40931 68caec0 2 API calls 40929->40931 40932 68caed0 2 API calls 40929->40932 40930->40914 40931->40930 40932->40930 40939 68caf10 40933->40939 40934 68caeda 40934->40924 40937 68caeda 40936->40937 40938 68caf10 2 API calls 40936->40938 40937->40924 40938->40937 40940 68caf15 40939->40940 40941 68caf54 40940->40941 40945 68cb1b8 LoadLibraryExW 40940->40945 40946 68cb1aa LoadLibraryExW 40940->40946 40941->40934 40942 68caf4c 40942->40941 40943 68cb158 GetModuleHandleW 40942->40943 40944 68cb185 40943->40944 40944->40934 40945->40942 40946->40942 40948 ee7e7b 40947->40948 40949 ee7f31 40948->40949 40953 68dfbb8 40948->40953 40963 68df978 40948->40963 40968 68df968 40948->40968 40949->40888 40956 68dfbbe 40953->40956 40957 68df98d 40953->40957 40954 68dfc53 40954->40949 40955 68dfba2 40955->40949 40956->40954 40973 eeea21 40956->40973 40978 eeea28 40956->40978 40957->40955 40961 68dfbb8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40957->40961 40962 68dfbc8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40957->40962 40958 68dfd10 40958->40949 40961->40957 40962->40957 40964 68df98d 40963->40964 40965 68dfba2 40964->40965 40966 68dfbb8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40964->40966 40967 68dfbc8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40964->40967 40965->40949 40966->40964 40967->40964 40969 68df978 40968->40969 40970 68dfba2 40969->40970 40971 68dfbb8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40969->40971 40972 68dfbc8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40969->40972 40970->40949 40971->40969 40972->40969 40974 eeea36 40973->40974 40983 eeea60 40973->40983 40992 eeeaf0 40973->40992 41000 eeea51 40973->41000 40974->40958 40980 eeeaf0 2 API calls 40978->40980 40981 eeea60 2 API calls 40978->40981 40982 eeea51 2 API calls 40978->40982 40979 eeea36 40979->40958 40980->40979 40981->40979 40982->40979 40984 eeea6d 40983->40984 40987 eeea95 40983->40987 40984->40974 40986 eeeab6 40986->40974 40987->40986 40988 eeeb0e 40987->40988 41009 eee1c8 40987->41009 40989 eeeb1b 40988->40989 40990 eeeb7e GlobalMemoryStatusEx 40988->40990 40989->40974 40991 eeebae 40990->40991 40991->40974 40994 eeeb0e 40992->40994 40999 eeea99 40992->40999 40993 eeeb1b 40993->40974 40994->40993 40996 eeeb7e GlobalMemoryStatusEx 40994->40996 40995 eee1c8 GlobalMemoryStatusEx 40995->40999 40998 eeebae 40996->40998 40997 eeeab6 40997->40974 40998->40974 40999->40994 40999->40995 40999->40997 41001 eeea6d 41000->41001 41002 eeea95 41000->41002 41001->40974 41003 eee1c8 GlobalMemoryStatusEx 41002->41003 41004 eeeab6 41002->41004 41005 eeeb0e 41002->41005 41003->41002 41004->40974 41006 eeeb1b 41005->41006 41007 eeeb7e GlobalMemoryStatusEx 41005->41007 41006->40974 41008 eeebae 41007->41008 41008->40974 41010 eeeb38 GlobalMemoryStatusEx 41009->41010 41012 eeebae 41010->41012 41012->40987 41037 e9d030 41038 e9d048 41037->41038 41039 e9d0a2 41038->41039 41042 68ca4c4 CallWindowProcW 41038->41042 41046 68cd2a8 41038->41046 41050 68cd3f0 41038->41050 41054 68cd297 41038->41054 41058 68ca4d5 41038->41058 41062 68ce3f8 41038->41062 41042->41039 41047 68cd2ce 41046->41047 41048 68ca4c4 CallWindowProcW 41047->41048 41049 68cd2ef 41048->41049 41049->41039 41051 68cd400 41050->41051 41053 68ce459 41051->41053 41066 68ca5ec CallWindowProcW 41051->41066 41053->41053 41055 68cd2a5 41054->41055 41056 68ca4c4 CallWindowProcW 41055->41056 41057 68cd2ef 41056->41057 41057->41039 41061 68ca4ca 41058->41061 41060 68ce459 41060->41060 41061->41060 41067 68ca5ec CallWindowProcW 41061->41067 41063 68ce408 41062->41063 41065 68ce459 41063->41065 41068 68ca5ec CallWindowProcW 41063->41068 41065->41065 41066->41053 41067->41060 41068->41065 41013 68c2ac0 DuplicateHandle 41014 68c2b56 41013->41014 41015 68cf800 41016 68cf830 41015->41016 41017 68cf91c 41016->41017 41018 68cf872 41016->41018 41022 68ca4c4 41017->41022 41020 68cf8ca CallWindowProcW 41018->41020 41021 68cf879 41018->41021 41020->41021 41024 68ca4ca 41022->41024 41025 68ce459 41024->41025 41026 68ca5ec CallWindowProcW 41024->41026 41026->41025 41069 68cd0f0 41070 68cd158 CreateWindowExW 41069->41070 41072 68cd214 41070->41072 41072->41072

                                            Executed Functions

                                            Function 068D2350 Relevance: 9.0, Strings: 6, Instructions: 1497COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                            • API String ID: 0-220072568
                                            • Opcode ID: 81d16bf97c6212389b1e5dd0e70b8590595974bd0c2390b3bf231d2ef89ee53d
                                            • Instruction ID: b680e547484933b2e0d11574850172dbaa67853de1283490ad549004f6a4035b
                                            • Opcode Fuzzy Hash: 81d16bf97c6212389b1e5dd0e70b8590595974bd0c2390b3bf231d2ef89ee53d
                                            • Instruction Fuzzy Hash: 26D25734E00609CFCB64DB68C594A9DB7B2FF89310F54C5A9D509EB265EB34ED82CB90
                                            Function 068DB248 Relevance: 8.3, Strings: 6, Instructions: 762COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                            • API String ID: 0-220072568
                                            • Opcode ID: d28f6a5c4ac89bbd88d0267c918336c6e0de7d4043f17d03c4b5cb70f89bfe1a
                                            • Instruction ID: 8a8149faaa1612396d7bceb7d87bfd8b7dc2a33fa6cfd889f3c59198423abdd7
                                            • Opcode Fuzzy Hash: d28f6a5c4ac89bbd88d0267c918336c6e0de7d4043f17d03c4b5cb70f89bfe1a
                                            • Instruction Fuzzy Hash: B65280B0E101099FDFA4DB68D5807ADB7B2FB49310F61852AE509EB395DB34DC81CBA1
                                            Function 068D7D80 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2419 68d7d80-68d7d9e 2420 68d7da0-68d7da3 2419->2420 2421 68d7da5-68d7dbf 2420->2421 2422 68d7dc4-68d7dc7 2420->2422 2421->2422 2423 68d7dde-68d7de1 2422->2423 2424 68d7dc9-68d7dd7 2422->2424 2426 68d7e04-68d7e07 2423->2426 2427 68d7de3-68d7dff 2423->2427 2435 68d7dd9 2424->2435 2436 68d7e26-68d7e3c 2424->2436 2428 68d7e09-68d7e13 2426->2428 2429 68d7e14-68d7e16 2426->2429 2427->2426 2432 68d7e1d-68d7e20 2429->2432 2433 68d7e18 2429->2433 2432->2420 2432->2436 2433->2432 2435->2423 2439 68d8057-68d8061 2436->2439 2440 68d7e42-68d7e4b 2436->2440 2441 68d7e51-68d7e6e 2440->2441 2442 68d8062-68d8097 2440->2442 2449 68d8044-68d8051 2441->2449 2450 68d7e74-68d7e9c 2441->2450 2445 68d8099-68d809c 2442->2445 2447 68d82d1-68d82d4 2445->2447 2448 68d80a2-68d80b1 2445->2448 2451 68d82f7-68d82fa 2447->2451 2452 68d82d6-68d82f2 2447->2452 2460 68d80d0-68d8114 2448->2460 2461 68d80b3-68d80ce 2448->2461 2449->2439 2449->2440 2450->2449 2470 68d7ea2-68d7eab 2450->2470 2454 68d83a5-68d83a7 2451->2454 2455 68d8300-68d830c 2451->2455 2452->2451 2456 68d83ae-68d83b1 2454->2456 2457 68d83a9 2454->2457 2463 68d8317-68d8319 2455->2463 2456->2445 2462 68d83b7-68d83c0 2456->2462 2457->2456 2475 68d811a-68d812b 2460->2475 2476 68d82a5-68d82bb 2460->2476 2461->2460 2467 68d831b-68d8321 2463->2467 2468 68d8331-68d8335 2463->2468 2471 68d8325-68d8327 2467->2471 2472 68d8323 2467->2472 2473 68d8337-68d8341 2468->2473 2474 68d8343 2468->2474 2470->2442 2479 68d7eb1-68d7ecd 2470->2479 2471->2468 2472->2468 2478 68d8348-68d834a 2473->2478 2474->2478 2484 68d8131-68d814e 2475->2484 2485 68d8290-68d829f 2475->2485 2476->2447 2481 68d834c-68d834f 2478->2481 2482 68d835b-68d8394 2478->2482 2489 68d7ed3-68d7efd 2479->2489 2490 68d8032-68d803e 2479->2490 2481->2462 2482->2448 2504 68d839a-68d83a4 2482->2504 2484->2485 2496 68d8154-68d824a call 68d65a0 2484->2496 2485->2475 2485->2476 2502 68d8028-68d802d 2489->2502 2503 68d7f03-68d7f2b 2489->2503 2490->2449 2490->2470 2552 68d824c-68d8256 2496->2552 2553 68d8258 2496->2553 2502->2490 2503->2502 2510 68d7f31-68d7f5f 2503->2510 2510->2502 2516 68d7f65-68d7f6e 2510->2516 2516->2502 2518 68d7f74-68d7fa6 2516->2518 2525 68d7fa8-68d7fac 2518->2525 2526 68d7fb1-68d7fcd 2518->2526 2525->2502 2527 68d7fae 2525->2527 2526->2490 2528 68d7fcf-68d8026 call 68d65a0 2526->2528 2527->2526 2528->2490 2554 68d825d-68d825f 2552->2554 2553->2554 2554->2485 2555 68d8261-68d8266 2554->2555 2556 68d8268-68d8272 2555->2556 2557 68d8274 2555->2557 2558 68d8279-68d827b 2556->2558 2557->2558 2558->2485 2559 68d827d-68d8289 2558->2559 2559->2485
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq
                                            • API String ID: 0-2246304398
                                            • Opcode ID: 3c44867c1e7e9571a58a21ddf0e23f586d6939cb2367c067f6d0a8033698f2cf
                                            • Instruction ID: 5e24baaf063267a6c420414b473643efec0197e7a97dda3e54f609b19a52256a
                                            • Opcode Fuzzy Hash: 3c44867c1e7e9571a58a21ddf0e23f586d6939cb2367c067f6d0a8033698f2cf
                                            • Instruction Fuzzy Hash: 7402AE70B102098FDB54DB69D540BAEB7E2FF84304F248529E90ADB395DB35EC86CB90
                                            Function 068D55A0 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-3993045852
                                            • Opcode ID: 8f7b953dc8d739c6be9246360d31efcd07429c0221656a787e5c61d7e7d3fbd6
                                            • Instruction ID: 25d6999984e2d8f26e868e299c2a8159f3c472c175f45250fe7029529dd01672
                                            • Opcode Fuzzy Hash: 8f7b953dc8d739c6be9246360d31efcd07429c0221656a787e5c61d7e7d3fbd6
                                            • Instruction Fuzzy Hash: E322E475F102059FDF60DBA4D5806AEB7F2EF84320F24846AE905EB354DA31ED41CBA2
                                            Function 068D65F0 Relevance: .8, Instructions: 816COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0fbd9924eef9bbcc08399924bd504191632e2a1a5b3fe40a782c1fb4348ce8d8
                                            • Instruction ID: 321921af56fc0c2668ec3c0cebf7ff8ab04dcc526e2a0929c117971bd2b5924e
                                            • Opcode Fuzzy Hash: 0fbd9924eef9bbcc08399924bd504191632e2a1a5b3fe40a782c1fb4348ce8d8
                                            • Instruction Fuzzy Hash: D0628134E102089FDB54DB68D594BADB7F2EF84310F148469E906DB395EB35ED82CBA0
                                            Function 068DC190 Relevance: .6, Instructions: 632COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2e1869b5a514a97e40feb9615bd03bbb6e9a3946f3a3ee537244bc467fac9a8
                                            • Instruction ID: 4e09d8dd7c57ba4e1cd966763fdd9104e00f51fbcfd7afab0db844a8ca847ccd
                                            • Opcode Fuzzy Hash: f2e1869b5a514a97e40feb9615bd03bbb6e9a3946f3a3ee537244bc467fac9a8
                                            • Instruction Fuzzy Hash: 19327E34B102099FDF55EB68D990BADB7B6FB88314F108529E509EB355DB34EC42CBA0
                                            Function 068DACE0 Relevance: 12.9, Strings: 10, Instructions: 397COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 526 68dace0-68dacfe 527 68dad00-68dad03 526->527 528 68dad05-68dad09 527->528 529 68dad14-68dad17 527->529 530 68daf0c-68daf16 528->530 531 68dad0f 528->531 532 68dad19-68dad1e 529->532 533 68dad21-68dad24 529->533 531->529 532->533 534 68dad3e-68dad41 533->534 535 68dad26-68dad39 533->535 536 68daefd-68daf06 534->536 537 68dad47-68dad4a 534->537 535->534 536->530 541 68dad5f-68dad68 536->541 539 68dad4c-68dad55 537->539 540 68dad5a-68dad5d 537->540 539->540 540->541 542 68dad77-68dad7a 540->542 543 68dad6e-68dad72 541->543 544 68daf17-68daf4e 541->544 545 68dad7c-68dad89 542->545 546 68dad8e-68dad91 542->546 543->542 557 68daf50-68daf53 544->557 545->546 548 68dadb4-68dadb6 546->548 549 68dad93-68dadaf 546->549 550 68dadbd-68dadc0 548->550 551 68dadb8 548->551 549->548 550->527 554 68dadc6-68dadea 550->554 551->550 571 68daefa 554->571 572 68dadf0-68dadff 554->572 560 68daf55-68daf59 557->560 561 68daf60-68daf63 557->561 562 68daf79-68dafb4 560->562 563 68daf5b 560->563 564 68daf65-68daf6f 561->564 565 68daf70-68daf73 561->565 573 68dafba-68dafc6 562->573 574 68db1a7-68db1ba 562->574 563->561 565->562 566 68db1dc-68db1df 565->566 569 68db1ee-68db1f1 566->569 570 68db1e1 566->570 575 68db214-68db216 569->575 576 68db1f3-68db20f 569->576 651 68db1e1 call 68db238 570->651 652 68db1e1 call 68db248 570->652 571->536 584 68dae17-68dae52 call 68d65a0 572->584 585 68dae01-68dae07 572->585 587 68dafc8-68dafe1 573->587 588 68dafe6-68db02a 573->588 579 68db1bc 574->579 577 68db21d-68db220 575->577 578 68db218 575->578 576->575 577->557 582 68db226-68db230 577->582 578->577 579->566 580 68db1e7-68db1e9 580->569 603 68dae6a-68dae81 584->603 604 68dae54-68dae5a 584->604 589 68dae09 585->589 590 68dae0b-68dae0d 585->590 587->579 605 68db02c-68db03e 588->605 606 68db046-68db085 588->606 589->584 590->584 615 68dae99-68daeaa 603->615 616 68dae83-68dae89 603->616 607 68dae5c 604->607 608 68dae5e-68dae60 604->608 605->606 612 68db16c-68db181 606->612 613 68db08b-68db166 call 68d65a0 606->613 607->603 608->603 612->574 613->612 624 68daeac-68daeb2 615->624 625 68daec2-68daef3 615->625 619 68dae8d-68dae8f 616->619 620 68dae8b 616->620 619->615 620->615 627 68daeb4 624->627 628 68daeb6-68daeb8 624->628 625->571 627->625 628->625 651->580 652->580
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XM$XM$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                            • API String ID: 0-898559689
                                            • Opcode ID: 93dc247449a3ea874ce6005c11d795984d8ed9823e4d57c16f987d22df49936f
                                            • Instruction ID: 90a9116359db279658e484588fcde2832724b274685de524e8104c559f08619a
                                            • Opcode Fuzzy Hash: 93dc247449a3ea874ce6005c11d795984d8ed9823e4d57c16f987d22df49936f
                                            • Instruction Fuzzy Hash: 39E19170E102098FDF59DBA5D4906AEB7B2FF85300F208529E909EB355DB71EC46CBA1
                                            Function 068C2873 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1385 68c2873-68c2907 GetCurrentProcess 1389 68c2909-68c290f 1385->1389 1390 68c2910-68c2944 GetCurrentThread 1385->1390 1389->1390 1391 68c294d-68c2981 GetCurrentProcess 1390->1391 1392 68c2946-68c294c 1390->1392 1394 68c298a-68c29a2 1391->1394 1395 68c2983-68c2989 1391->1395 1392->1391 1408 68c29a5 call 68c2e28 1394->1408 1409 68c29a5 call 68c2e38 1394->1409 1410 68c29a5 call 68c2a48 1394->1410 1395->1394 1398 68c29ab-68c29da GetCurrentThreadId 1399 68c29dc-68c29e2 1398->1399 1400 68c29e3-68c2a45 1398->1400 1399->1400 1408->1398 1409->1398 1410->1398
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 068C28F6
                                            • GetCurrentThread.KERNEL32 ref: 068C2933
                                            • GetCurrentProcess.KERNEL32 ref: 068C2970
                                            • GetCurrentThreadId.KERNEL32 ref: 068C29C9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 6b948a203f5df9fdc9433299b88b05b9c399e611014a77c6bc0eb202f3b5050a
                                            • Instruction ID: 99ceea55ea8b308058a177b93cca7018b1dac2042ad894602bc8478a5d8db608
                                            • Opcode Fuzzy Hash: 6b948a203f5df9fdc9433299b88b05b9c399e611014a77c6bc0eb202f3b5050a
                                            • Instruction Fuzzy Hash: 555145B09002098FDB54CFAAD948BEEBBF1EF48310F248459E609A73A0D7359948CF65
                                            Function 068C2878 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1411 68c2878-68c2907 GetCurrentProcess 1415 68c2909-68c290f 1411->1415 1416 68c2910-68c2944 GetCurrentThread 1411->1416 1415->1416 1417 68c294d-68c2981 GetCurrentProcess 1416->1417 1418 68c2946-68c294c 1416->1418 1420 68c298a-68c29a2 1417->1420 1421 68c2983-68c2989 1417->1421 1418->1417 1434 68c29a5 call 68c2e28 1420->1434 1435 68c29a5 call 68c2e38 1420->1435 1436 68c29a5 call 68c2a48 1420->1436 1421->1420 1424 68c29ab-68c29da GetCurrentThreadId 1425 68c29dc-68c29e2 1424->1425 1426 68c29e3-68c2a45 1424->1426 1425->1426 1434->1424 1435->1424 1436->1424
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 068C28F6
                                            • GetCurrentThread.KERNEL32 ref: 068C2933
                                            • GetCurrentProcess.KERNEL32 ref: 068C2970
                                            • GetCurrentThreadId.KERNEL32 ref: 068C29C9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: b6398ee2dcabe5e0117d01b66cae121732ca37c0b35c4e700eea5c812590112e
                                            • Instruction ID: 9bf0609a32c55c2ab3b1eaa561e8d29bb5adabc1bce91149a1c99d496bd8b193
                                            • Opcode Fuzzy Hash: b6398ee2dcabe5e0117d01b66cae121732ca37c0b35c4e700eea5c812590112e
                                            • Instruction Fuzzy Hash: 5E5155B09002098FDB54CFAAD948BDEBBF1EF48310F24841DE609A73A0D735A948CF65
                                            Function 068CAF10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1437 68caf10-68caf2f 1439 68caf5b-68caf5f 1437->1439 1440 68caf31-68caf3e call 68ca2e4 1437->1440 1442 68caf61-68caf6b 1439->1442 1443 68caf73-68cafb4 1439->1443 1447 68caf54 1440->1447 1448 68caf40 1440->1448 1442->1443 1449 68cafb6-68cafbe 1443->1449 1450 68cafc1-68cafcf 1443->1450 1447->1439 1494 68caf46 call 68cb1b8 1448->1494 1495 68caf46 call 68cb1aa 1448->1495 1449->1450 1451 68cafd1-68cafd6 1450->1451 1452 68caff3-68caff5 1450->1452 1454 68cafd8-68cafdf call 68ca2f0 1451->1454 1455 68cafe1 1451->1455 1457 68caff8-68cafff 1452->1457 1453 68caf4c-68caf4e 1453->1447 1456 68cb090-68cb150 1453->1456 1461 68cafe3-68caff1 1454->1461 1455->1461 1489 68cb158-68cb183 GetModuleHandleW 1456->1489 1490 68cb152-68cb155 1456->1490 1458 68cb00c-68cb013 1457->1458 1459 68cb001-68cb009 1457->1459 1462 68cb015-68cb01d 1458->1462 1463 68cb020-68cb029 call 68c348c 1458->1463 1459->1458 1461->1457 1462->1463 1469 68cb02b-68cb033 1463->1469 1470 68cb036-68cb03b 1463->1470 1469->1470 1471 68cb03d-68cb044 1470->1471 1472 68cb059-68cb066 1470->1472 1471->1472 1474 68cb046-68cb056 call 68c8900 call 68ca300 1471->1474 1478 68cb068-68cb086 1472->1478 1479 68cb089-68cb08f 1472->1479 1474->1472 1478->1479 1491 68cb18c-68cb1a0 1489->1491 1492 68cb185-68cb18b 1489->1492 1490->1489 1492->1491 1494->1453 1495->1453
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 068CB176
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: tb$tb
                                            • API String ID: 4139908857-786838781
                                            • Opcode ID: 10d1efd739e65cf537caf50738ffafdf484ef5a4cccdb5caa3ef1c9d12fd3d97
                                            • Instruction ID: 2933f493063d1f5b54e951a0a146dd886408a4d51c5fc2d036ee7fd90d6ded87
                                            • Opcode Fuzzy Hash: 10d1efd739e65cf537caf50738ffafdf484ef5a4cccdb5caa3ef1c9d12fd3d97
                                            • Instruction Fuzzy Hash: 7A819AB0A00B098FD7A4DF2AD44176ABBF1FF88310F00892ED59AD7A50D775E945CB91
                                            Function 068D9158 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1496 68d9158-68d917d 1497 68d917f-68d9182 1496->1497 1498 68d91a8-68d91ab 1497->1498 1499 68d9184-68d91a3 1497->1499 1500 68d9a6b-68d9a6d 1498->1500 1501 68d91b1-68d91c6 1498->1501 1499->1498 1503 68d9a6f 1500->1503 1504 68d9a74-68d9a77 1500->1504 1508 68d91de-68d91f4 1501->1508 1509 68d91c8-68d91ce 1501->1509 1503->1504 1504->1497 1506 68d9a7d-68d9a87 1504->1506 1513 68d91ff-68d9201 1508->1513 1510 68d91d0 1509->1510 1511 68d91d2-68d91d4 1509->1511 1510->1508 1511->1508 1514 68d9219-68d928a 1513->1514 1515 68d9203-68d9209 1513->1515 1526 68d928c-68d92af 1514->1526 1527 68d92b6-68d92d2 1514->1527 1516 68d920d-68d920f 1515->1516 1517 68d920b 1515->1517 1516->1514 1517->1514 1526->1527 1532 68d92fe-68d9319 1527->1532 1533 68d92d4-68d92f7 1527->1533 1538 68d931b-68d933d 1532->1538 1539 68d9344-68d935f 1532->1539 1533->1532 1538->1539 1544 68d938a-68d9394 1539->1544 1545 68d9361-68d9383 1539->1545 1546 68d93a4-68d941e 1544->1546 1547 68d9396-68d939f 1544->1547 1545->1544 1553 68d946b-68d9480 1546->1553 1554 68d9420-68d943e 1546->1554 1547->1506 1553->1500 1558 68d945a-68d9469 1554->1558 1559 68d9440-68d944f 1554->1559 1558->1553 1558->1554 1559->1558
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq
                                            • API String ID: 0-812946093
                                            • Opcode ID: 77652dc18b8cb902118b293ccce2eed57a4a1d1b55c908e9f71cee418b359f66
                                            • Instruction ID: ee1de495a0aed55273771191dc003045b518e6178dc658eeafff917dee9f9d41
                                            • Opcode Fuzzy Hash: 77652dc18b8cb902118b293ccce2eed57a4a1d1b55c908e9f71cee418b359f66
                                            • Instruction Fuzzy Hash: 90913130F1060A8FDF54EF65D9507AEB7F6AF85200F10C569D90AEB359EE309D428B91
                                            Function 068DCF48 Relevance: 4.5, Strings: 3, Instructions: 797COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1562 68dcf48-68dcf63 1563 68dcf65-68dcf68 1562->1563 1564 68dcf6a-68dcfac 1563->1564 1565 68dcfb1-68dcfb4 1563->1565 1564->1565 1566 68dcfd7-68dcfda 1565->1566 1567 68dcfb6-68dcfd2 1565->1567 1569 68dcfdc-68dd01e 1566->1569 1570 68dd023-68dd026 1566->1570 1567->1566 1569->1570 1571 68dd06f-68dd072 1570->1571 1572 68dd028-68dd037 1570->1572 1576 68dd0bb-68dd0be 1571->1576 1577 68dd074-68dd083 1571->1577 1578 68dd039-68dd03e 1572->1578 1579 68dd046-68dd052 1572->1579 1585 68dd107-68dd10a 1576->1585 1586 68dd0c0-68dd102 1576->1586 1583 68dd085-68dd08a 1577->1583 1584 68dd092-68dd09e 1577->1584 1578->1579 1581 68dd058-68dd06a 1579->1581 1582 68dd965-68dd99e 1579->1582 1581->1571 1598 68dd9a0-68dd9a3 1582->1598 1583->1584 1584->1582 1589 68dd0a4-68dd0b6 1584->1589 1590 68dd434-68dd440 1585->1590 1591 68dd110-68dd113 1585->1591 1586->1585 1589->1576 1590->1572 1594 68dd446-68dd733 1590->1594 1596 68dd11d-68dd120 1591->1596 1597 68dd115-68dd11a 1591->1597 1775 68dd739-68dd73f 1594->1775 1776 68dd95a-68dd964 1594->1776 1602 68dd12f-68dd132 1596->1602 1603 68dd122-68dd124 1596->1603 1597->1596 1606 68dd9a5-68dd9c1 1598->1606 1607 68dd9c6-68dd9c9 1598->1607 1604 68dd17b-68dd17e 1602->1604 1605 68dd134-68dd176 1602->1605 1610 68dd2ef-68dd2f8 1603->1610 1611 68dd12a 1603->1611 1618 68dd1c7-68dd1ca 1604->1618 1619 68dd180-68dd1c2 1604->1619 1605->1604 1606->1607 1612 68dd9fc-68dd9ff 1607->1612 1613 68dd9cb-68dd9f7 1607->1613 1614 68dd2fa-68dd2ff 1610->1614 1615 68dd307-68dd313 1610->1615 1611->1602 1626 68dda0e-68dda10 1612->1626 1627 68dda01 1612->1627 1613->1612 1614->1615 1628 68dd319-68dd32d 1615->1628 1629 68dd424-68dd429 1615->1629 1624 68dd1cc-68dd20e 1618->1624 1625 68dd213-68dd216 1618->1625 1619->1618 1624->1625 1631 68dd25f-68dd262 1625->1631 1632 68dd218-68dd25a 1625->1632 1633 68dda17-68dda1a 1626->1633 1634 68dda12 1626->1634 1822 68dda01 call 68ddabd 1627->1822 1823 68dda01 call 68ddad0 1627->1823 1650 68dd431 1628->1650 1652 68dd333-68dd345 1628->1652 1629->1650 1636 68dd2ab-68dd2ae 1631->1636 1637 68dd264-68dd2a6 1631->1637 1632->1631 1633->1598 1638 68dda1c-68dda2b 1633->1638 1634->1633 1648 68dd2bd-68dd2c0 1636->1648 1649 68dd2b0-68dd2b2 1636->1649 1637->1636 1664 68dda2d-68dda90 call 68d65a0 1638->1664 1665 68dda92-68ddaa7 1638->1665 1645 68dda07-68dda09 1645->1626 1659 68dd2dd-68dd2df 1648->1659 1660 68dd2c2-68dd2d8 1648->1660 1649->1650 1658 68dd2b8 1649->1658 1650->1590 1669 68dd369-68dd36b 1652->1669 1670 68dd347-68dd34d 1652->1670 1658->1648 1666 68dd2e6-68dd2e9 1659->1666 1667 68dd2e1 1659->1667 1660->1659 1664->1665 1689 68ddaa8 1665->1689 1666->1563 1666->1610 1667->1666 1681 68dd375-68dd381 1669->1681 1677 68dd34f 1670->1677 1678 68dd351-68dd35d 1670->1678 1683 68dd35f-68dd367 1677->1683 1678->1683 1698 68dd38f 1681->1698 1699 68dd383-68dd38d 1681->1699 1683->1681 1689->1689 1703 68dd394-68dd396 1698->1703 1699->1703 1703->1650 1706 68dd39c-68dd3b8 call 68d65a0 1703->1706 1716 68dd3ba-68dd3bf 1706->1716 1717 68dd3c7-68dd3d3 1706->1717 1716->1717 1717->1629 1718 68dd3d5-68dd422 1717->1718 1718->1650 1777 68dd74e-68dd757 1775->1777 1778 68dd741-68dd746 1775->1778 1777->1582 1779 68dd75d-68dd770 1777->1779 1778->1777 1781 68dd94a-68dd954 1779->1781 1782 68dd776-68dd77c 1779->1782 1781->1775 1781->1776 1783 68dd77e-68dd783 1782->1783 1784 68dd78b-68dd794 1782->1784 1783->1784 1784->1582 1785 68dd79a-68dd7bb 1784->1785 1788 68dd7bd-68dd7c2 1785->1788 1789 68dd7ca-68dd7d3 1785->1789 1788->1789 1789->1582 1790 68dd7d9-68dd7f6 1789->1790 1790->1781 1793 68dd7fc-68dd802 1790->1793 1793->1582 1794 68dd808-68dd821 1793->1794 1796 68dd93d-68dd944 1794->1796 1797 68dd827-68dd84e 1794->1797 1796->1781 1796->1793 1797->1582 1800 68dd854-68dd85e 1797->1800 1800->1582 1801 68dd864-68dd87b 1800->1801 1803 68dd87d-68dd888 1801->1803 1804 68dd88a-68dd8a5 1801->1804 1803->1804 1804->1796 1809 68dd8ab-68dd8c4 call 68d65a0 1804->1809 1813 68dd8c6-68dd8cb 1809->1813 1814 68dd8d3-68dd8dc 1809->1814 1813->1814 1814->1582 1815 68dd8e2-68dd936 1814->1815 1815->1796 1822->1645 1823->1645
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq
                                            • API String ID: 0-177832560
                                            • Opcode ID: a2d7ebc1ae17a8b5d04343b3606812f0a382e43d0435b4881c655721ba3eacd0
                                            • Instruction ID: 3b6618bbda94d79a2cdc4ee44d41ff0d1ce22e6bf315ce54bece60c10742f7ad
                                            • Opcode Fuzzy Hash: a2d7ebc1ae17a8b5d04343b3606812f0a382e43d0435b4881c655721ba3eacd0
                                            • Instruction Fuzzy Hash: E6624E30A006068FCB55EB69D590A5EB7F2FF85300F608A69D409DF369DB71ED86CB90
                                            Function 068D4B70 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1824 68d4b70-68d4b94 1825 68d4b96-68d4b99 1824->1825 1826 68d4b9f-68d4c97 1825->1826 1827 68d5278-68d527b 1825->1827 1847 68d4c9d-68d4ce5 1826->1847 1848 68d4d1a-68d4d21 1826->1848 1828 68d527d-68d5297 1827->1828 1829 68d529c-68d529e 1827->1829 1828->1829 1831 68d52a5-68d52a8 1829->1831 1832 68d52a0 1829->1832 1831->1825 1833 68d52ae-68d52bb 1831->1833 1832->1831 1870 68d4cea call 68d5419 1847->1870 1871 68d4cea call 68d5428 1847->1871 1849 68d4da5-68d4dae 1848->1849 1850 68d4d27-68d4d97 1848->1850 1849->1833 1867 68d4d99 1850->1867 1868 68d4da2 1850->1868 1861 68d4cf0-68d4d0c 1865 68d4d0e 1861->1865 1866 68d4d17-68d4d18 1861->1866 1865->1866 1866->1848 1867->1868 1868->1849 1870->1861 1871->1861
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fjq$XPjq$\Ojq
                                            • API String ID: 0-216941231
                                            • Opcode ID: d7566576da5a5f671208e4f24a9e31dd12163fe8d86cb39480a76ac5415b910f
                                            • Instruction ID: 057b7fad79542c038bba520ed21b868f8f1af679dced6de021fad7195295ab3f
                                            • Opcode Fuzzy Hash: d7566576da5a5f671208e4f24a9e31dd12163fe8d86cb39480a76ac5415b910f
                                            • Instruction Fuzzy Hash: 47619170F002089FEB549FB5C8557AEBBF6EF88300F20842AE509EB395DE759D458B91
                                            Function 068D9149 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq
                                            • API String ID: 0-2246304398
                                            • Opcode ID: 0095f1ec842ef53f2522570da2cfa9132844d49c3e7eebfb89ab0e8022a456ed
                                            • Instruction ID: 89bb5b21847ed66ac25d0af42bbf83b575df6c5031933e024a57582fd45b5b79
                                            • Opcode Fuzzy Hash: 0095f1ec842ef53f2522570da2cfa9132844d49c3e7eebfb89ab0e8022a456ed
                                            • Instruction Fuzzy Hash: D0512030B105068FDF54EB74E9507BEB7F6EB89210F50C469D50AEB399EA31DC428BA0
                                            Function 00EEEA60 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4495488721.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_ee0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f888d4bb10403a3fcd71877b14f051104da24d6a53af39b5b54c358817a1eae1
                                            • Instruction ID: 68382a7c8cbdfadea7f7655b30f4b90ecb9062d3d5f8a00e9c2c0c8172db445a
                                            • Opcode Fuzzy Hash: f888d4bb10403a3fcd71877b14f051104da24d6a53af39b5b54c358817a1eae1
                                            • Instruction Fuzzy Hash: A741E472D047998FCB14DF69D4446AEBBF1EF89310F15866AD808E7380EB349885CBD1
                                            Function 068CD0E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068CD202
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: ed9df40f748abe400a9ec48fc5fbf1e34913434f621d43389655a51e25614043
                                            • Instruction ID: efdd604a83a6eef06dd876b9f36298fda252bb847989e2fd2d41a155a31f6769
                                            • Opcode Fuzzy Hash: ed9df40f748abe400a9ec48fc5fbf1e34913434f621d43389655a51e25614043
                                            • Instruction Fuzzy Hash: 2451C1B5D003499FDB14CF99C984ADEBBB6FF88310F64812EE819AB210D775A945CF90
                                            Function 068CD0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068CD202
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 7527b2310691c7686257def387d9baa22ba019bee0d2b6b111a81aedb66c2acc
                                            • Instruction ID: 0fc74f5acb37b6e73f4e60a221ff8407f576abf9e269cdb190bca36cc8dd36c1
                                            • Opcode Fuzzy Hash: 7527b2310691c7686257def387d9baa22ba019bee0d2b6b111a81aedb66c2acc
                                            • Instruction Fuzzy Hash: D741CFB1D003099FDB14CF9AC994ADEBBB5FF88310F64812AE818AB210D771A945CF90
                                            Function 068CA5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 068CF8F1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: ddb29f9479fcccd6ceecd4292d631517e6c0234262d0bf78f9766e920d4e2dc7
                                            • Instruction ID: 0b683757ed9205ea2b287e5d87de4fcbf97ac3db0369707423ea9914bd3ef9c4
                                            • Opcode Fuzzy Hash: ddb29f9479fcccd6ceecd4292d631517e6c0234262d0bf78f9766e920d4e2dc7
                                            • Instruction Fuzzy Hash: DE4107B5900209DFDB54CF99C888AAEBBF5FF88324F24845DD619A7321D774E845CBA0
                                            Function 068C2AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068C2B47
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 58280d81868b4885ef8501ba7774ef90a686c7ce037e751ce7579a2a88b171b8
                                            • Instruction ID: 6f2fda092d8c005ca3f45d13990dd8c1e614b69edd9ba37ff7a029ddf8b10daa
                                            • Opcode Fuzzy Hash: 58280d81868b4885ef8501ba7774ef90a686c7ce037e751ce7579a2a88b171b8
                                            • Instruction Fuzzy Hash: 0421E4B5D00249DFDB10CFAAD984AEEBBF4FB48320F14801AE914A7350C379A954DF64
                                            Function 068C2AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068C2B47
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: cc0bee64b0ef447e820fb28824bd8d61f2039c6c347c4e7eea642836dbca8f71
                                            • Instruction ID: 2604ebae0f5a62e6c3b9c4a85b13f822c9c8064dfc181baf10899273454ebbdb
                                            • Opcode Fuzzy Hash: cc0bee64b0ef447e820fb28824bd8d61f2039c6c347c4e7eea642836dbca8f71
                                            • Instruction Fuzzy Hash: 2821E4B5900209DFDB10CF9AD984ADEFBF8EB48320F14801AE914A3350C375A944DF64
                                            Function 068CB372 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,068CB1F1,00000800,00000000,00000000), ref: 068CB3E2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 14e85cfeb91dc5bd644b63a803e92cb5357f8019e0b9abb2c44cb7e89ced3fba
                                            • Instruction ID: d406255793a01ab05025752664d6465623ea475fe76a93c925f92fd2a1614f57
                                            • Opcode Fuzzy Hash: 14e85cfeb91dc5bd644b63a803e92cb5357f8019e0b9abb2c44cb7e89ced3fba
                                            • Instruction Fuzzy Hash: 531126B6C003499FCB10CFAAD884ADEFBF8EB48320F14841EE919A7200C775A545CFA5
                                            Function 00EEE1C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00EEEAB2), ref: 00EEEB9F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4495488721.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_ee0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 6f0d7c6fcb3aca0dc0ddc75340513b5dee7b69c97adbfa7e4a39fcad16e4ba98
                                            • Instruction ID: 876f1672a8870b7c3152f1d9a2427cf2b4cc956d5feb7209e997cb7e1f05ce4c
                                            • Opcode Fuzzy Hash: 6f0d7c6fcb3aca0dc0ddc75340513b5dee7b69c97adbfa7e4a39fcad16e4ba98
                                            • Instruction Fuzzy Hash: 5A1103B1C006599BCB20CF9AC845AAEFBF4EB48320F14816AD918B7241D779A944CFA5
                                            Function 068CA328 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,068CB1F1,00000800,00000000,00000000), ref: 068CB3E2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: c483755854344fbc2066987c1ada1f35916458d9d897ca42ca9d9595f7dbf288
                                            • Instruction ID: 603414bf9491bf57989265fa874fde70b6e09c8af76aa83714db3604057b7305
                                            • Opcode Fuzzy Hash: c483755854344fbc2066987c1ada1f35916458d9d897ca42ca9d9595f7dbf288
                                            • Instruction Fuzzy Hash: FB1117B6C00349CFDB10CFAAD844A9EFBF4EB48320F10842ED915A7200C375A545CFA5
                                            Function 00EEEB30 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00EEEAB2), ref: 00EEEB9F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4495488721.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_ee0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 7ec54f15fa08825be6a4f9c1bd725b878d4ae25e150a98d9a71b33cef7383369
                                            • Instruction ID: e71988a41a6ede849a2d82325a0f8dae29f61dd22799b880b657fe19f3cdba7d
                                            • Opcode Fuzzy Hash: 7ec54f15fa08825be6a4f9c1bd725b878d4ae25e150a98d9a71b33cef7383369
                                            • Instruction Fuzzy Hash: 8E1103B2C046599FCB20CF9AC444AEEFBF5AF48320F14816AD818B7251D778A944CFA5
                                            Function 068CB110 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 068CB176
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500333211.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68c0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d09e37851fb78aedd9e034c094c188a1b5854d5232d9dfdc5bfa2e02bb5fc816
                                            • Instruction ID: dad5f7706a48d0a8774eee41fa22cf4e55f8b3a6e38b2e64715f477cd70a2644
                                            • Opcode Fuzzy Hash: d09e37851fb78aedd9e034c094c188a1b5854d5232d9dfdc5bfa2e02bb5fc816
                                            • Instruction Fuzzy Hash: 8611E0B6C006498FCB10CF9AD844ADEFBF4EF89320F14842AD929B7610C375A545CFA5
                                            Function 068D4B60 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XPjq
                                            • API String ID: 0-4216394854
                                            • Opcode ID: 4d76e00f20006f011205aa10222250cd7ab2520d214afbc4cfae3cc711e058d7
                                            • Instruction ID: 635077e77419433eb9cc71464ecc7377bc41e8d633fee935ec15e7fe4f176d36
                                            • Opcode Fuzzy Hash: 4d76e00f20006f011205aa10222250cd7ab2520d214afbc4cfae3cc711e058d7
                                            • Instruction Fuzzy Hash: 57416074F002089FDB45DFA5C855BAEBBF6EF88300F20852AE505EB395DE749D058B91
                                            Function 068DDAD0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHeq
                                            • API String ID: 0-2873676430
                                            • Opcode ID: db96b52e0f80dac6c6f713204eb955ccfe75e31f9eff5dfefa8cd1bb4614e72e
                                            • Instruction ID: 219cada61da25a0dbc44fb23bb51766ee6536e61b737ee9404db7084b4353ea0
                                            • Opcode Fuzzy Hash: db96b52e0f80dac6c6f713204eb955ccfe75e31f9eff5dfefa8cd1bb4614e72e
                                            • Instruction Fuzzy Hash: 29416C70E006099FDB55DF65C59479EBBB2EF85304F204929E506EB280EB70A946CBA0
                                            Function 068DDABD Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHeq
                                            • API String ID: 0-2873676430
                                            • Opcode ID: fe7f5369ff5b383a683d590b412e8972e71c0c466b48362aaea77e24fb805099
                                            • Instruction ID: 8bf914232a2e4c023e0a1c42ecc140c8bc2d1ed65331395dbd8dd8d89f10a265
                                            • Opcode Fuzzy Hash: fe7f5369ff5b383a683d590b412e8972e71c0c466b48362aaea77e24fb805099
                                            • Instruction Fuzzy Hash: 0D418E70E006099FDB55DF75D59069EBBB2FF85304F104929E906E7380EB70E846CBA0
                                            Function 068D21B5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHeq
                                            • API String ID: 0-2873676430
                                            • Opcode ID: e40be36444790ee66c8830bfc9fee816a30488c370c199e2b3437c5bbaf8188f
                                            • Instruction ID: c7dc92117f08cc9671e855b1c5c318a535c0967c1f7082f871cc6af962840f13
                                            • Opcode Fuzzy Hash: e40be36444790ee66c8830bfc9fee816a30488c370c199e2b3437c5bbaf8188f
                                            • Instruction Fuzzy Hash: DA312430B002018FDB459B74D5647AE7BA3EF89214F208968D506EB3A5EF35DD46C7A0
                                            Function 068D21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHeq
                                            • API String ID: 0-2873676430
                                            • Opcode ID: ef0d82630205bfafd440fb61b5fcf47638f8f8cb043f165d590e9ed3856de6e0
                                            • Instruction ID: 2cbe4534a78c7afc30c2270ae05992aedf9409e94e8574e07a57898b46bb019d
                                            • Opcode Fuzzy Hash: ef0d82630205bfafd440fb61b5fcf47638f8f8cb043f165d590e9ed3856de6e0
                                            • Instruction Fuzzy Hash: 23310430B102058FDB49AB74D96476E7BA3AF89304F208828D506DB3A5EF35DD41C7A0
                                            Function 068D82D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq
                                            • API String ID: 0-731066626
                                            • Opcode ID: c2f300416051a268ccab5215e41c2c56bcbdc48c03eeb21072840c3920a9668d
                                            • Instruction ID: 6312ee7636b1836f2866d5374b879ab0984ef0f85fda9c7a6153bfee7c1f39d1
                                            • Opcode Fuzzy Hash: c2f300416051a268ccab5215e41c2c56bcbdc48c03eeb21072840c3920a9668d
                                            • Instruction Fuzzy Hash: F7F0C2B1B10205CFDFACDA59E9816BC77A5EB44318F14847ADA0DD7245C731EE06C7A1
                                            Function 068DB238 Relevance: .3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f02a3ba13e0479d132c11b50520121e36fa6024f5da2a66633c8e8420e88554a
                                            • Instruction ID: eea58bc6448561a0d730a6b62d5437fbf00ab09eabf03cea54a5d1fad5f5e5f3
                                            • Opcode Fuzzy Hash: f02a3ba13e0479d132c11b50520121e36fa6024f5da2a66633c8e8420e88554a
                                            • Instruction Fuzzy Hash: 23A1B9B4F101088BEF64DBADD4907AEB7F7EB89310F618425E609E7395CA34DC819761
                                            Function 068D61F0 Relevance: .2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 473a264c6cb5ce06289f2dae5d6600f0eeb9b77bb56406f35045225593498dd0
                                            • Instruction ID: 6de643795f94229678826d44ff262d3fcc4c42a20c35261172c3efe398376bae
                                            • Opcode Fuzzy Hash: 473a264c6cb5ce06289f2dae5d6600f0eeb9b77bb56406f35045225593498dd0
                                            • Instruction Fuzzy Hash: C461B371F004114FCB519A6EDC8066FBAD7AFC8220F254439D90EDB365EE69ED4287D1
                                            Function 068D42A1 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62300845e55eddd5bcac395384efd5b20cce3aafbb694ce4a949421c7b623048
                                            • Instruction ID: 44f795334ac190d856e009512f01ae7bb9a4837d91700b80ce87a13be072eb49
                                            • Opcode Fuzzy Hash: 62300845e55eddd5bcac395384efd5b20cce3aafbb694ce4a949421c7b623048
                                            • Instruction Fuzzy Hash: BB812B30B106098FDB54DFA8D5947AEB7F6AF89300F148529D50AEB399EF34EC428B51
                                            Function 068D42B0 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 859ad586cb78a2b4af756c85701833d7b1ee7fcf022e9403aa872fedf1f315c4
                                            • Instruction ID: 87ab22d11d6d3a9e48d397eca5e3db5680b2bfd127be113fcdf1f4c59c30f332
                                            • Opcode Fuzzy Hash: 859ad586cb78a2b4af756c85701833d7b1ee7fcf022e9403aa872fedf1f315c4
                                            • Instruction Fuzzy Hash: 9A813C30B106098BDB54DFA8D59479EB7F6AF89300F108529D50AEB399EE34EC428B51
                                            Function 068D45C4 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c32c28133cdd2c0c0a3554ce6bb243371feb6fd5655fd9081084469e30036286
                                            • Instruction ID: 424302e1e8fc4f48924498efecfb27d4503185b7acbc747fb73af1b1a70db6d1
                                            • Opcode Fuzzy Hash: c32c28133cdd2c0c0a3554ce6bb243371feb6fd5655fd9081084469e30036286
                                            • Instruction Fuzzy Hash: 1F914D74E006198BDF60DF68C880B9DB7B1FF89300F208699D549FB295DB70AA85CF91
                                            Function 068D45D8 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d6d83a7b0f89be4f6005de36e0609a7f5d0921bb4308c47a9e8c415cd600924
                                            • Instruction ID: c2a8b02d414df8eb3ef7ce15c04931ac19153770452978c51ff87bd5da64a2e7
                                            • Opcode Fuzzy Hash: 7d6d83a7b0f89be4f6005de36e0609a7f5d0921bb4308c47a9e8c415cd600924
                                            • Instruction Fuzzy Hash: 5F912B74E106198BDF60DF68C880B9DB7B1FF89300F208599D549FB295EB71AA85CF90
                                            Function 068DEB28 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84f808f165a58852c4f018f5f1d44515fe82911e82efb214deccfef72419ff3f
                                            • Instruction ID: cf9bfbf801212e1a96d3f01577b9bc1f48769fae516073c84e48b3d1fc8d29ae
                                            • Opcode Fuzzy Hash: 84f808f165a58852c4f018f5f1d44515fe82911e82efb214deccfef72419ff3f
                                            • Instruction Fuzzy Hash: 63711F70A006099FDB94DFA9D984A9DBBF6EF84310F24C429E409EB355DB30ED45CB61
                                            Function 068DEB1B Relevance: .2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acca48601b97fbcbe2a3231a371b32af6505d00364246f29dc6ae078b96bfdff
                                            • Instruction ID: 48f6d4d6b28561e1242d597d620a8710d221722031f55f0f72d815c86fb90c74
                                            • Opcode Fuzzy Hash: acca48601b97fbcbe2a3231a371b32af6505d00364246f29dc6ae078b96bfdff
                                            • Instruction Fuzzy Hash: D8712E70A006099FDB94DFA9D984AADBBF6EF84310F24C429E409EB355DB30ED46CB50
                                            Function 068DF968 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 367c50bac33ac3630d12f31287ff7d8950f24a70f3c60f3e1bce92020a1d39e5
                                            • Instruction ID: 86e2386da5620d5bcfe49f6bedbdb816fd68780a07b546750382185cbb3a4601
                                            • Opcode Fuzzy Hash: 367c50bac33ac3630d12f31287ff7d8950f24a70f3c60f3e1bce92020a1d39e5
                                            • Instruction Fuzzy Hash: 9051EA74B202049BEFA16A7DD85572F379AD789350F20442AE70BD73DACA78CC4197B2
                                            Function 068DFBC8 Relevance: .2, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ca79c00197c918aba372c87cabdb37b6ccca2ed12daba130de2cee3847e76fb
                                            • Instruction ID: f5005edef8df401da8ecf3547030a6d6c6515d874446b2eae1ff972e9a6054e7
                                            • Opcode Fuzzy Hash: 4ca79c00197c918aba372c87cabdb37b6ccca2ed12daba130de2cee3847e76fb
                                            • Instruction Fuzzy Hash: D651EF31E00119DFCF54AFB8E8846ADBBB2EF89311F108869E707E7250DB359955DBA0
                                            Function 068DF978 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4318e29b52cbf68f8368f8191eb4441f1c6c339988d10ba698f51f95a5d7dcd
                                            • Instruction ID: 15a34da06b68101c2abc28da910e391fcd28422c653e63f6ed958deeacf14517
                                            • Opcode Fuzzy Hash: a4318e29b52cbf68f8368f8191eb4441f1c6c339988d10ba698f51f95a5d7dcd
                                            • Instruction Fuzzy Hash: 1051E674B202049BEFA16ABDD85572F379AD789310F20442AE70BD73D9CA78CC4197B2
                                            Function 068DFBB8 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ed15b66c54eaede2dbba7ff004e60d3e580412d290f9905bcaea83b58c8ed82
                                            • Instruction ID: efb63be866b2cb1f0f27dd7de425031b022fb5f12ca764a197099fc789b2df07
                                            • Opcode Fuzzy Hash: 0ed15b66c54eaede2dbba7ff004e60d3e580412d290f9905bcaea83b58c8ed82
                                            • Instruction Fuzzy Hash: B2410231F101059FCB58AF78E8442AEBBB2EF84311F50887AE60AD7256DF35986587A0
                                            Function 068D5428 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0fb34141d5fbecd9b1025361852d3071a9a91219f3842fe6534d9cb73070ad8
                                            • Instruction ID: 6e10474bfa16d28813c6e581360bfca673d6282e222ba017db392a1f6c0f792b
                                            • Opcode Fuzzy Hash: f0fb34141d5fbecd9b1025361852d3071a9a91219f3842fe6534d9cb73070ad8
                                            • Instruction Fuzzy Hash: D7414271E006098FDF70CE99D881AAFF7F6FB84311F10492AE215D7650D731E9558BA2
                                            Function 068DD970 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73a50c91c07007b9ef7589dd17b993be45600688e7541fc59bab57f4a143aeb7
                                            • Instruction ID: 9ebb3b4ad6fd75269f47d44963a0d396c8cf24c0e6fcf2957a623255c24881be
                                            • Opcode Fuzzy Hash: 73a50c91c07007b9ef7589dd17b993be45600688e7541fc59bab57f4a143aeb7
                                            • Instruction Fuzzy Hash: 3C31E330E1420A8FCF55DF69D98069EBBB5EF85300F108929E405EB305EB70A946CB90
                                            Function 068D2079 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01c8489170669c27159b83003d754c43fb13b1f528a1dd113565439e0b110269
                                            • Instruction ID: d442f86242f8b639194e9f6aaad138d96bdd52c57277b2a065dd4fd4e57d051a
                                            • Opcode Fuzzy Hash: 01c8489170669c27159b83003d754c43fb13b1f528a1dd113565439e0b110269
                                            • Instruction Fuzzy Hash: 12319E34E102059FCF19DF64D8A4A9EBBB2EF89300F14C529EA06E7350DB71AD46CB50
                                            Function 068D2088 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b31e1d77257b26c6878c718565bd97c46ae555656526df2a0ce28ef782774bdc
                                            • Instruction ID: c324581c28b2fd82d392eb04f6e885f689c68650954d4388d753a7b1b9deb512
                                            • Opcode Fuzzy Hash: b31e1d77257b26c6878c718565bd97c46ae555656526df2a0ce28ef782774bdc
                                            • Instruction Fuzzy Hash: C3318C34E102099BCF19DF65D8A4A9EB7B2FF89300F10C529EA06E7350DB71AD46CB90
                                            Function 068D3AA1 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3963f2884837c61b779be28d6db598af405cf63da33906243077053d817ba850
                                            • Instruction ID: 057de7c81c43c6cfdbba1377ab0c5721b2f03ce5f3e240bf259f3d9eda7cc4db
                                            • Opcode Fuzzy Hash: 3963f2884837c61b779be28d6db598af405cf63da33906243077053d817ba850
                                            • Instruction Fuzzy Hash: E1218B75F106199FDB00DFA9E981BEEB7F5AB88710F088025E905E7395E734DD018B91
                                            Function 068D3AB0 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e3e2a0810b47c314d8eedf76ffd28a66ef028ba64ae7f8b0aa1ec9288691cb0
                                            • Instruction ID: 88b5af1f17531b9cf6ff8caf23877a72cd96c78294061fa290a5df24e15b2cf0
                                            • Opcode Fuzzy Hash: 4e3e2a0810b47c314d8eedf76ffd28a66ef028ba64ae7f8b0aa1ec9288691cb0
                                            • Instruction Fuzzy Hash: 31217A75F106198FDB40DF69E980AAEB7F1AB88710F188029EA05E7295E730D9018BA1
                                            Function 00E9D005 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4495317600.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e9d000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc88f078dc39349d4393918ffaab2005210372e405ba261bae5a57f8c420b0ad
                                            • Instruction ID: 293358857ee168fb084ee9a117a93107fb3d37ece760eeef6a09d64453a6014d
                                            • Opcode Fuzzy Hash: cc88f078dc39349d4393918ffaab2005210372e405ba261bae5a57f8c420b0ad
                                            • Instruction Fuzzy Hash: 68316B7550D3C49FCB03CB24C994711BF71AB46314F29C5DBD9898B2A3C23A980ACB62
                                            Function 00E9D030 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4495317600.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e9d000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d46595213e36a070a8018fe554fa84663f2552026138191ff4ce655ceacf6d51
                                            • Instruction ID: 994430241f8d1d90d5082d94905624211f6f3edaf5bca0bf4c8d71585d9d83b0
                                            • Opcode Fuzzy Hash: d46595213e36a070a8018fe554fa84663f2552026138191ff4ce655ceacf6d51
                                            • Instruction Fuzzy Hash: 8121F2B5508304DFDF15DF14DDC0B26BBA6FB88318F24C56DD8095B296C33AD846CA62
                                            Function 068D3060 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b309249e16a753e4f09aedf81fa213cba99d6c461ee0ffc4388d91a4c97dca7f
                                            • Instruction ID: 21afb3d91b1f608867c9648146406be003e3dea4012d38ef0473606c3c5523f6
                                            • Opcode Fuzzy Hash: b309249e16a753e4f09aedf81fa213cba99d6c461ee0ffc4388d91a4c97dca7f
                                            • Instruction Fuzzy Hash: 0C116071E002189BCF54DB79D8815EEF7B5EF8A310F108579E506E7205DA319E45CBE2
                                            Function 068D3BC0 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c88887fd9b6d0411092578603d7fc1851ed47e8f92e4ace6abed116b7453c2d
                                            • Instruction ID: b87e9ad9b7a2385d110840b15dde22aa7c0c908d980610057ff20d390bf98ce6
                                            • Opcode Fuzzy Hash: 3c88887fd9b6d0411092578603d7fc1851ed47e8f92e4ace6abed116b7453c2d
                                            • Instruction Fuzzy Hash: 9A11C431F145298FCF549678E9546AE73EAEBC9710F048139D90AE7358EE34DC028BE1
                                            Function 068D4200 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d07e5fef55694395105c80f4dce50949cb35188abd7d57f1c4d26511b7846b55
                                            • Instruction ID: 4ce79d7ccdf43d05be5b7c442ef398711cc2c3c53f707bfaab4b66a935e0ce17
                                            • Opcode Fuzzy Hash: d07e5fef55694395105c80f4dce50949cb35188abd7d57f1c4d26511b7846b55
                                            • Instruction Fuzzy Hash: E201DF31B005100BDB51D6BCD805B6FB7EADBC9714F28883AE10EDB346E924DC4243A1
                                            Function 068D3880 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 475ee294e8f1bbf2f8617a2e36cf11da14f33d74d9197ef97018308a1c476364
                                            • Instruction ID: c0ffb5996b8ee8ff14ba6835c3ab03c9c33a96b45efccb93c2fd7ec5674c314a
                                            • Opcode Fuzzy Hash: 475ee294e8f1bbf2f8617a2e36cf11da14f33d74d9197ef97018308a1c476364
                                            • Instruction Fuzzy Hash: BB11D0B5D00259AFCB10CF9AD884ADEFFB8FB49310F50812AE918A7240C775A954CFA5
                                            Function 068D4210 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64795794768a1fa34a59b3430e5e9436d3410ef971ff8d70a62b6f73b26d47e3
                                            • Instruction ID: 46f6eb33dd46b261d79532ff07f3c18460130284953e2b653d085b8c841adaab
                                            • Opcode Fuzzy Hash: 64795794768a1fa34a59b3430e5e9436d3410ef971ff8d70a62b6f73b26d47e3
                                            • Instruction Fuzzy Hash: F9018C31B100100BDB6496BDD455B2FB7DADBCDB24F24883AE60EC7345ED61EC4243A5
                                            Function 068D3878 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 472d018d813481185d940ad5292a6bfdc0c12cb991c471348be477fb83759ee1
                                            • Instruction ID: 724ce306403a459c097a3b5f81b0fa9650d57edb4c3802142351d02dce9271c9
                                            • Opcode Fuzzy Hash: 472d018d813481185d940ad5292a6bfdc0c12cb991c471348be477fb83759ee1
                                            • Instruction Fuzzy Hash: EB21FFB5D00219AFCB10CF9AD984ADEFBB4FB09310F10812AE918B7240C375A954CFA5
                                            Function 068D3BAF Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eed6ce349d1ad83e094d7e861af352e47efe129a9478b9798c40f4017c1867fc
                                            • Instruction ID: c5c964cbedec22fd4b4f0e1106d07927010385b39f61a36afcd7bf5b30779a07
                                            • Opcode Fuzzy Hash: eed6ce349d1ad83e094d7e861af352e47efe129a9478b9798c40f4017c1867fc
                                            • Instruction Fuzzy Hash: 5E018432F144144FDF549668A8542FF37AAABC9710F08413AD90AE7294EE24DC0287A2
                                            Function 068DA311 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9fab982af1e0316a664e05de856635b9bdeeedfb16e120603025ee336b36d402
                                            • Instruction ID: cd30344372d3b49bbe4390985f67e60d3d369c939307a99bb64785aee8e41616
                                            • Opcode Fuzzy Hash: 9fab982af1e0316a664e05de856635b9bdeeedfb16e120603025ee336b36d402
                                            • Instruction Fuzzy Hash: 8B01D630B141111FCB59E67CE85575E77E6EB86750F248839F50AC7355DA21EC028791
                                            Function 068DED99 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6506fdb97882c6ec7a2011c548a8175fa10916cac278d993de2bd3737ac94544
                                            • Instruction ID: d6328f7a2912a7b6475404a0b33799d3c9d098bda3c0350ffe44e1b4ca40b3ad
                                            • Opcode Fuzzy Hash: 6506fdb97882c6ec7a2011c548a8175fa10916cac278d993de2bd3737ac94544
                                            • Instruction Fuzzy Hash: C301A231B104118FCB66DA7CE458B2EB3EADBC9610F14893DE24ACB345DE61EC024791
                                            Function 068DEDA8 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 572c7ce0e7f5762a646cf98f414017a17c76868f26cad5e3054ab00f95825559
                                            • Instruction ID: 960293c357216f58197a4de839d0445a9805db649a2953ccddefee35cc72bad1
                                            • Opcode Fuzzy Hash: 572c7ce0e7f5762a646cf98f414017a17c76868f26cad5e3054ab00f95825559
                                            • Instruction Fuzzy Hash: 12018C31B100108BCB65D97DA458B2E77EADBC9620F108839E60ACB341EE61EC0247A1
                                            Function 068DA320 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e0239d99113ce3d5a0feaf2c12f943d5caab0f046f6453b4929f26cf0538ade
                                            • Instruction ID: caeeb7c67b248eb54a657b360f92bf1edc6b5502fe7f3e26b4dceb9b292a6c71
                                            • Opcode Fuzzy Hash: 4e0239d99113ce3d5a0feaf2c12f943d5caab0f046f6453b4929f26cf0538ade
                                            • Instruction Fuzzy Hash: DF01AF30B101104BCB68E6BCE854B2E77DAEB8A750F208839E60EC7355DE21ED028791
                                            Function 068D6470 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2157787157ef75d297d223ee2456195f1863ffc1c872546a00bf752f2846850
                                            • Instruction ID: 9697163b69b0b73d6bffc7d77868e2f671ab67773809060b7e543764bd7bf314
                                            • Opcode Fuzzy Hash: e2157787157ef75d297d223ee2456195f1863ffc1c872546a00bf752f2846850
                                            • Instruction Fuzzy Hash: 77E0D871E5520C6BDF60CEB4CD5579E7BADD702214F1088A6D904D7181F536DD4543A2
                                            Function 068D6480 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                            • Instruction ID: 18a89033260992ff7a292ab310ddb26edb77cf22dd3d29c632d34461655aa863
                                            • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                            • Instruction Fuzzy Hash: 77E0C270E1010CABDF60CEB4CA4575E73AED701218F2088A5D508D7241F632DE4143A1

                                            Non-executed Functions

                                            Function 068D76A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                            • API String ID: 0-2049195972
                                            • Opcode ID: 8e9c83cf00fbcfef1c24330c84344413a4468b89bd8bfbee5c05ea6e9345c2d3
                                            • Instruction ID: 536f1218557ce1cc1ecc8aa8a7f359246c2a73b112a3084bfaa2fde937322ac0
                                            • Opcode Fuzzy Hash: 8e9c83cf00fbcfef1c24330c84344413a4468b89bd8bfbee5c05ea6e9345c2d3
                                            • Instruction Fuzzy Hash: 3B121C30E01219CFDB64DF65C994AAEB7B2BF88304F208569D50AEB365DB309D85CF91
                                            Function 068DA948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                            • API String ID: 0-1110479544
                                            • Opcode ID: 72eb9010c86edce4a69d86ddcd4996a81acee65642c4daf869282ba5ba81cd4b
                                            • Instruction ID: 37aa50e7d90908427638242cb938bfb1f672a5accc3237ed27aee7ead68dc75c
                                            • Opcode Fuzzy Hash: 72eb9010c86edce4a69d86ddcd4996a81acee65642c4daf869282ba5ba81cd4b
                                            • Instruction Fuzzy Hash: 5E918030A10209DFDB68EF65D585B6E7BF2EF84310F208529E405EB395DB759D81CBA0
                                            Function 068D70A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
                                            • API String ID: 0-1622854337
                                            • Opcode ID: 3fd1de414611dc29085bae11322c21323a40ef5e9dd8cdf07dcd0122e9c47ea4
                                            • Instruction ID: c29718aa138ad1da72527d267a8ce474e26788aacc33f27644bcf5948bdaedbd
                                            • Opcode Fuzzy Hash: 3fd1de414611dc29085bae11322c21323a40ef5e9dd8cdf07dcd0122e9c47ea4
                                            • Instruction Fuzzy Hash: F6F13C30A10208CFDB55EFA5D494A6EB7B2FF84300F648568D506DB3A9DB71AC82CB91
                                            Function 068D83D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq
                                            • API String ID: 0-812946093
                                            • Opcode ID: 7ef35b18ad84714e9ea4c608942587e710512cfc35414cf22a5056f6756e832d
                                            • Instruction ID: d7ced4df4407aa1df52a470442ed2aea475d8ca014fae9f47eaff25aa69f7e23
                                            • Opcode Fuzzy Hash: 7ef35b18ad84714e9ea4c608942587e710512cfc35414cf22a5056f6756e832d
                                            • Instruction Fuzzy Hash: E8B14C70B10208CFDB64EB69D555AAEB7B2EF84310F24C529D50AEB395DB74DC82CB90
                                            Function 068DACD0 Relevance: 5.2, Strings: 4, Instructions: 172COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $eq$$eq$$eq$$eq
                                            • API String ID: 0-812946093
                                            • Opcode ID: d23bc445550741fe0941e1ad0fdfdb6988e9cf18731dfd1e2831c8e687ea3ba4
                                            • Instruction ID: 672dfb8ae2125bd9038b991e8c26a714979fc1de928e650f72557503e3b0506d
                                            • Opcode Fuzzy Hash: d23bc445550741fe0941e1ad0fdfdb6988e9cf18731dfd1e2831c8e687ea3ba4
                                            • Instruction Fuzzy Hash: 77517330E10204CFDFA9EB65D5806ADB7B2EF89311F248969E505E7356DB31EC42CBA1
                                            Function 068D87F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4500380011.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_68d0000_BULK HARVEST - VESSEL PARTICULARS.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LReq$LReq$$eq$$eq
                                            • API String ID: 0-731573373
                                            • Opcode ID: f4dc862141616020f6194e413bd09a4514e30da2b0b2d3a9a17cb4daf3c4b0a5
                                            • Instruction ID: 9b14de0974eb6f3a7e54bab5db1f95834df2eb4b779f1124a2754ca0aa67cbf6
                                            • Opcode Fuzzy Hash: f4dc862141616020f6194e413bd09a4514e30da2b0b2d3a9a17cb4daf3c4b0a5
                                            • Instruction Fuzzy Hash: 91518E70B102059FDB58EB39D981A6E77E6FF88304F14C568E506DB3A9DA31EC41CBA1