Windows Analysis Report
PURCHASE ORDER-6350-2024.exe

Overview

General Information

Sample name: PURCHASE ORDER-6350-2024.exe
Analysis ID: 1528943
MD5: e25b8037dca1fdb8e69cb26bd1cb4f17
SHA1: 5a05ef1979ba60a139cb987e7ab3abf1115acba8
SHA256: 42db38678ebdd31dbcab40014ff3b96a8b263f77e8484901226defbdfbb8eba6
Tags: AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER-6350-2024.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PURCHASE ORDER-6350-2024.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: /log.tmp
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>[
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: yyyy-MM-dd HH:mm:ss
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ]<br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Time:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>User Name:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>Computer Name:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>OSFullName:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>CPU:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>RAM:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IP Address:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <hr>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: New
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IP Address:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: mail.mbarieservicesltd.com
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: saless@mbarieservicesltd.com
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: *o9H+18Q4%;M
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: iinfo@mbarieservicesltd.com
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: false
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: appdata
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: KTvkzEc
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: KTvkzEc.exe
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: KTvkzEc
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Type
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <hr>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <b>[
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ]</b> (
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: )<br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {BACK}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {ALT+TAB}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {ALT+F4}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {TAB}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {ESC}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {Win}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {CAPSLOCK}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {KEYUP}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {KEYDOWN}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {KEYLEFT}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {KEYRIGHT}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {DEL}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {END}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {HOME}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {Insert}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {NumLock}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {PageDown}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {PageUp}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {ENTER}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F1}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F2}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F3}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F4}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F5}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F6}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F7}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F8}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F9}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F10}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F11}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {F12}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: control
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {CTRL}
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: &amp;
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: &lt;
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: &gt;
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: &quot;
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <br><hr>Copied Text: <br>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <hr>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: logins
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IE/Edge
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Secure Note
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Web Password Credential
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Credential Picker Protector
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Web Credentials
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Credentials
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Domain Certificate Credential
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Domain Password Credential
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Extended Credential
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 00000000-0000-0000-0000-000000000000
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SchemaId
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pResourceElement
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pIdentityElement
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pPackageSid
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pAuthenticatorElement
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IE/Edge
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UC Browser
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UCBrowser\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Login Data
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: journal
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: wow_logins
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Safari for Windows
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <array>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <dict>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <string>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </string>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <string>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </string>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <data>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </data>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: -convert xml1 -s -o "
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \fixed_keychain.xml"
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Microsoft\Protect\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: credential
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: QQ Browser
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Tencent\QQBrowser\User Data
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Default\EncryptedStorage
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Profile
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \EncryptedStorage
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: entries
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: category
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: str3
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: str2
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: blob0
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: password_value
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IncrediMail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PopPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SmtpPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\IncrediMail\Identities\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Accounts_New
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PopPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SmtpPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SmtpServer
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: EmailAddress
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Eudora
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: current
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Settings
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SavePasswordText
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Settings
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ReturnAddress
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Falkon Browser
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \falkon\profiles\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: profiles.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: profiles.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \browsedata.db
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: autofill
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ClawsMail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Claws-mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \clawsrc
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \clawsrc
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passkey0
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: master_passphrase_salt=(.+)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \accountrc
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: smtp_server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: address
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: account
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \passwordstorerc
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: {(.*),(.*)}(.*)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Flock Browser
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: APPDATA
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Flock\Browser\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: signons3.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: DynDns
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Dyn\Updater\config.dyndns
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: username=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: password=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: https://account.dyn.com/
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: t6KzXhCh
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Dyn\Updater\daemon.cfg
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: global
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: accounts
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: account.
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: username
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: account.
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Psi/Psi+
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: name
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Psi/Psi+
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: APPDATA
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Psi\profiles
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: APPDATA
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Psi+\profiles
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \accounts.xml
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \accounts.xml
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: OpenVPN
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\OpenVPN-GUI\configs\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: username
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: auth-data
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: entropy
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: USERPROFILE
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \OpenVPN\config\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: remote
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: remote
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: NordVPN
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: NordVPN
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: NordVpn.exe*
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: user.config
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: //setting[@name='Username']/value
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: //setting[@name='Password']/value
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: NordVPN
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Private Internet Access
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: %ProgramW6432%
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Private Internet Access\data
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Private Internet Access\data
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \account.json
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: .*"username":"(.*?)"
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: .*"password":"(.*?)"
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Private Internet Access
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: privateinternetaccess.com
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FileZilla
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: APPDATA
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \FileZilla\recentservers.xml
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: APPDATA
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \FileZilla\recentservers.xml
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Server>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Host>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Host>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </Host>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Port>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </Port>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <User>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <User>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </User>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Pass encoding="base64">
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Pass encoding="base64">
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </Pass>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Pass>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <Pass encoding="base64">
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </Pass>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: CoreFTP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: User
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Host
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Port
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: hdfzpysvpzimorhk
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: WinSCP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HostName
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UserName
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PublicKeyFile
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PortNumber
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: WinSCP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ABCDEF
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Flash FXP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: port
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: user
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pass
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: quick.dat
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Sites.dat
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \FlashFXP\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \FlashFXP\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FTP Navigator
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SystemDrive
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \FTP Navigator\Ftplist.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: No Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: User
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SmartFTP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: APPDATA
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: WS_FTP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: appdata
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HOST
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PWD=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PWD=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FtpCommander
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SystemDrive
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SystemDrive
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SystemDrive
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \cftp\Ftplist.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;Password=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;User=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;Server=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;Port=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;Port=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;Password=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;User=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ;Anonymous=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FTPGetter
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \FTPGetter\servers.xml
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_ip>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_ip>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </server_ip>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_port>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </server_port>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_user_name>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_user_name>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </server_user_name>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_user_password>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: <server_user_password>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: </server_user_password>
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FTPGetter
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: The Bat!
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: appdata
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \The Bat!
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Account.CFN
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Account.CFN
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Becky!
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: DataDir
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Folder.lst
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Mailbox.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Account
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PassWd
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Account
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SMTPServer
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Account
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: MailAddress
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Becky!
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Outlook
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IMAP Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: POP3 Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HTTP Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SMTP Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IMAP Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: POP3 Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HTTP Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SMTP Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Windows Mail App
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SchemaId
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pResourceElement
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pIdentityElement
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pPackageSid
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: pAuthenticatorElement
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: syncpassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: mailoutgoing
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FoxMail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Executable
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: FoxmailPath
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Storage\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Storage\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Accounts\Account.rec0
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Accounts\Account.rec0
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Account.stg
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Account.stg
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: POP3Host
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SMTPHost
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: IncomingServer
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Account
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: MailAddress
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: POP3Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Opera Mail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: opera:
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PocoMail
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: appdata
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Pocomail\accounts.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: POPPass
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SMTPPass
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SMTP
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: eM Client
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: eM Client\accounts.dat
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: eM Client
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Accounts
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: "Username":"
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: "Secret":"
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: "ProviderName":"
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: o6806642kbM7c5
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Mailbird
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SenderIdentities
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Accounts
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \Mailbird\Store\Store.db
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Server_Host
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Accounts
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Email
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Username
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: EncryptedPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Mailbird
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: RealVNC 4.x
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: RealVNC 3.x
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SOFTWARE\RealVNC\vncserver
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: RealVNC 4.x
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: RealVNC 3.x
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\ORL\WinVNC3
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: TightVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\TightVNC\Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: TightVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\TightVNC\Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: PasswordViewOnly
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: TightVNC ControlPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\TightVNC\Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ControlPassword
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: TigerVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\TigerVNC\Server
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Password
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd2
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd2
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd2
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: UltraVNC
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: passwd2
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: JDownloader 2.0
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: JDownloader 2.0\cfg
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: JDownloader 2.0\cfg
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Paltalk
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack String decryptor: nickname
Uses 32bit PE files
Source: PURCHASE ORDER-6350-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PURCHASE ORDER-6350-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: NnLj.pdbSHA256 source: PURCHASE ORDER-6350-2024.exe
Source: Binary string: NnLj.pdb source: PURCHASE ORDER-6350-2024.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49707 -> 199.79.62.115:587
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49707 -> 199.79.62.115:587
Source: Network traffic Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49707 -> 199.79.62.115:587
Source: Network traffic Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49707 -> 199.79.62.115:587
Source: Network traffic Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49707 -> 199.79.62.115:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 199.79.62.115:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.79.62.115 199.79.62.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 199.79.62.115:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.mbarieservicesltd.com
Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.mbarieservicesltd.com
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2051720668.0000000002A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PURCHASE ORDER-6350-2024.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_010EF044 0_2_010EF044
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DD3A50 0_2_06DD3A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DDD3D4 0_2_06DDD3D4
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DD1340 0_2_06DD1340
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06E1E7C3 0_2_06E1E7C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06E1F038 0_2_06E1F038
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06E1EC00 0_2_06E1EC00
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06E1EBFF 0_2_06E1EBFF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 6_2_01364140 6_2_01364140
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 6_2_01364D58 6_2_01364D58
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 6_2_01364488 6_2_01364488
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 6_2_067235F8 6_2_067235F8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 6_2_067219A0 6_2_067219A0
Sample file is different than original file name gathered from version info
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2059322242.00000000088B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000000.2022902908.000000000071C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNnLj.exeL vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2045099806.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2051720668.0000000002A21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2060019477.0000000008940000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3264163729.000000000042C000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3264545224.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PURCHASE ORDER-6350-2024.exe
Source: PURCHASE ORDER-6350-2024.exe Binary or memory string: OriginalFilenameNnLj.exeL vs PURCHASE ORDER-6350-2024.exe
Uses 32bit PE files
Source: PURCHASE ORDER-6350-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PURCHASE ORDER-6350-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, O.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, O.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.cs Security API names: _0020.SetAccessControl
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.cs Security API names: _0020.AddAccessRule
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.cs Security API names: _0020.SetAccessControl
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.cs Security API names: _0020.AddAccessRule
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, P3KWcgP03CKVL94tw3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, P3KWcgP03CKVL94tw3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/6@1/1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER-6350-2024.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aa3ncavf.zhi.ps1 Jump to behavior
Source: PURCHASE ORDER-6350-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PURCHASE ORDER-6350-2024.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PURCHASE ORDER-6350-2024.exe ReversingLabs: Detection: 21%
Source: PURCHASE ORDER-6350-2024.exe String found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PURCHASE ORDER-6350-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PURCHASE ORDER-6350-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PURCHASE ORDER-6350-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NnLj.pdbSHA256 source: PURCHASE ORDER-6350-2024.exe
Source: Binary string: NnLj.pdb source: PURCHASE ORDER-6350-2024.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.PURCHASE ORDER-6350-2024.exe.2b69bcc.1.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.cs .Net Code: MtQH1fVeKqYooKecnGf System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.cs .Net Code: MtQH1fVeKqYooKecnGf System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350-2024.exe.5620000.5.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350-2024.exe.2aa1a98.0.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: PURCHASE ORDER-6350-2024.exe Static PE information: 0xC32C0DAC [Thu Oct 5 15:50:04 2073 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DCD801 push es; ret 0_2_06DCD810
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DD5648 pushfd ; iretd 0_2_06DD56F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DD56F0 pushfd ; iretd 0_2_06DD56F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DDAE19 push eax; mov dword ptr [esp], edx 0_2_06DDAE2C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DD5638 pushad ; iretd 0_2_06DD5639
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06DDCE30 push es; ret 0_2_06DDCE40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 0_2_06E1DE48 push esp; ret 0_2_06E1DE49
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Code function: 6_2_0136F850 push es; ret 6_2_0136F860
Source: PURCHASE ORDER-6350-2024.exe Static PE information: section name: .text entropy: 7.717897542519251
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, L53jeqg7TU3usVYAQC.cs High entropy of concatenated method names: 'av804Aq3dO', 'oPg0wsWmXc', 'iPh0inMgrG', 'm1H0BefjKc', 'veG0PnOHnK', 'ui20oeRsF6', 'jAH0vZC1xq', 'z5X0KWhxlE', 'f9M0uFZKDq', 'WpK0f30Yv6'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, s9YxdXpYvmj4sEtJwg.cs High entropy of concatenated method names: 'HO1ZX0dFDv', 'i3BZ8prWVg', 'ToString', 'sRxZgSgPOe', 'lDJZjGiZuG', 'HgbZT43KMJ', 'zoWZbveHwY', 'KB1Zd2KZID', 'suQZOy0gHX', 'LgEZlEQ9U9'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, z8V6tSE9Kmk8VtHnQ3.cs High entropy of concatenated method names: 'L5CdGnTvgO', 'B1qdjTHB0f', 'StGdb5CFl1', 'QTXdOyGcHV', 'Mbhdl9RtXq', 'MQebHF3Tss', 'RcAbsdgysV', 'yS1bLCMrSG', 'DL2ba6jfn3', 'QGdbCskcGG'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, F4KCalNgCf4yJJMxmi.cs High entropy of concatenated method names: 'Dispose', 'twNcCypQt4', 'DafxBWJaWx', 'gPi77gulml', 'kHgcUuYmp0', 'BheczKE4aY', 'ProcessDialogKey', 'eaLxhP8s10', 'CnSxcYmxpC', 'bX5xxYUGmi'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, vP9haJacLPGwS8wXSo.cs High entropy of concatenated method names: 'gPCOWRWtVk', 'lfgOrK9oJr', 'UIUOtL9dVg', 'LSmORlUOtj', 'wv7OVqjviB', 'CxQO6fGhUr', 'FeDOnNu062', 'fxsO4sQulE', 'bV8OwM5HIx', 'vbSOQiEOCC'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, IScEM5lWVrKlhRvUrx.cs High entropy of concatenated method names: 'f8ScOHvsyX', 'CQMclHI8US', 'BGhcXUt12V', 'dBGc8wZ9V0', 'CvlcIcyqrA', 'dAucSPgoaM', 'TG85DLHDcuKtyVNtsE', 'vcZjHFlUJjecPQw7Qr', 'LQRccxpRSx', 'YE8c2pOpqN'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, kl5mmcflXMc65HWBwM.cs High entropy of concatenated method names: 'z43ZaJ9ICd', 'MLqZUQGiTl', 'JTXyhUBsFF', 'g6YycB8J3W', 'yXQZfcO3pM', 'A2qZ9ylxBL', 'ueCZYEwZQV', 'qn0Z5nTE3R', 'LyLZe0C7Vu', 'C0fZJQkGX6'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, xjSqLJKLfArB0tpMCnq.cs High entropy of concatenated method names: 'nmiDW2nTaS', 'sfiDrJEhwQ', 'Cn1DthvMD1', 'z6MDR33YNZ', 'EEyDVEGbo9', 'fKvD6tbi1S', 'Q4LDnVd7yr', 'O4ID4ancvc', 'FyIDwTOQrS', 'bfhDQjVN2v'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, FW07bIZxXrtNgWto45.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'M28xCk1chl', 'bqNxUJi5cj', 'WJJxzwRgaO', 'MbB2hbb01E', 'MkL2cbxg9c', 'D0o2x1DIOM', 'fd322XZAgl', 'UEtABwVANYrG79ytDCI'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, P3KWcgP03CKVL94tw3.cs High entropy of concatenated method names: 'Ma7j5hJYxa', 'bg4jepGRwo', 'VJ3jJK1Tbv', 'cc2jMjpa1G', 'sI5jHbrttL', 'in9jsEXufZ', 'FdujLiQkKU', 'TsAja8hst3', 'JuTjCad4G4', 'HyFjUQAgur'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, gvDY8QB1YMmf2dncZA.cs High entropy of concatenated method names: 'rmiTRqpWBA', 'bGQT6mDjw3', 'eAyT4lQquh', 't1dTw5SkW6', 'zSDTIv1EhE', 'mdMTSeNe5W', 'BVATZi9YXr', 'XseTyWURLl', 'yXrTD1SkeZ', 'K7KTFgtkVF'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, RgwcvmFYWkp0fMVSiK.cs High entropy of concatenated method names: 's6Kygo7qZR', 'mPtyjV46c6', 'PgkyThw5Ku', 'CXEybHToy7', 'OkUydA6wws', 'nL5yOCChpk', 'lSOylIrOLn', 'J6Ayqx2RFb', 'rwcyXaT6yK', 'oI1y85gqsv'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, cmsXDtyGVO5FOEpadW.cs High entropy of concatenated method names: 'efLDco7jCA', 'wZgD2xnuvK', 'P1QDNg6tUW', 'hF1DgYAUUC', 'wheDjVOWMF', 'YEBDb14kGl', 'oOODdaG1rr', 'vDMyL5MDrG', 'tG9yaiGFEV', 'FUxyC7dEp3'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, kBPjPwzFF5lF1uwwqm.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b5AD06pxfl', 'dIfDIWQacJ', 'slDDSSAeEk', 'BhIDZNXPn3', 'TyiDy3dtBm', 'NodDDhcuZe', 'vqfDFF7Mel'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, ImIW4rKwf6tqNiiWNR3.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c0xF5Pr4bY', 'cqkFeDi4OX', 'bPBFJvpMuD', 'mpOFMkQjyO', 'moiFH6fUNQ', 'c3YFsfO2uY', 'ECOFLOpiyw'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.cs High entropy of concatenated method names: 'ImZ2Gx7xyZ', 'RqZ2gZFOMD', 'BjJ2jWuEDe', 'NG62TlLE7c', 'tEJ2b8N6le', 'tQu2drm0Ru', 'SIA2OPIVdm', 'Ekw2l5WILM', 'vle2qHvAuh', 'ziC2Xod8tV'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, l8ftM6oDY7WIIMNLOd.cs High entropy of concatenated method names: 'C18bVSpGsQ', 'CNObnY7IF2', 'tC7Tm9QOhW', 'fnkTPZsumm', 'z4eToIHZWL', 'e4STAwWcnm', 'DovTvBY7nj', 'a80TKIynWT', 'gaLTppPsyK', 'mROTugtnN8'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, dyrVmPctQktPSrtNdw.cs High entropy of concatenated method names: 'nXmOgoV2AG', 's4KOTERE7X', 'GLIOdu3IKS', 'qhCdUwvk9e', 'L7jdzOspfT', 'JbbOhtbYGT', 'TofOcBy4yc', 'D9SOx8X0D6', 'F23O21R0Qg', 'BWtONPaY0P'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, l2sJYh5K0ZNHRqvmDU.cs High entropy of concatenated method names: 'e5vtvaU5e', 'L4qRU9qOW', 'flx6D0bih', 'B0GnhQH2d', 'g19wjoHRy', 'NGKQs9iho', 'N7eC3GKT6wBmVGvXic', 'a77CdxkuZemMFuw3Hk', 'nvQyVgcJY', 'KStFRUg8A'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, Qrig4VQZJw0SmAOp59.cs High entropy of concatenated method names: 'be1Iuvnh8E', 'ki1I95fAFH', 'Q2xI5IFFIN', 'gnCIeRwoYG', 'WGFIBrbBjn', 'dXvImN6VJC', 'GfsIPFS2SZ', 'IN2IoimUxq', 'KoLIAwrg6T', 'ejEIv7tweD'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, icguhxMxu9hdKnfBif.cs High entropy of concatenated method names: 'ToString', 'VirSfDdAFk', 'oviSBXFtS6', 'QMJSm4r73L', 'dGmSPc4qsg', 'QdJSocZdGy', 'JjmSA5PvlP', 'KYqSv6E8ty', 'x3iSKgsbe7', 'tQTSpEWubK'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, No5wVbGi2FjI1MyTZU.cs High entropy of concatenated method names: 'vWsyiU9gdh', 'AypyB9b2Hq', 'nAgymChUpO', 'dE2yP4wQxG', 'eR2y5v2Jvn', 'MVRyoNRU0u', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, L53jeqg7TU3usVYAQC.cs High entropy of concatenated method names: 'av804Aq3dO', 'oPg0wsWmXc', 'iPh0inMgrG', 'm1H0BefjKc', 'veG0PnOHnK', 'ui20oeRsF6', 'jAH0vZC1xq', 'z5X0KWhxlE', 'f9M0uFZKDq', 'WpK0f30Yv6'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, s9YxdXpYvmj4sEtJwg.cs High entropy of concatenated method names: 'HO1ZX0dFDv', 'i3BZ8prWVg', 'ToString', 'sRxZgSgPOe', 'lDJZjGiZuG', 'HgbZT43KMJ', 'zoWZbveHwY', 'KB1Zd2KZID', 'suQZOy0gHX', 'LgEZlEQ9U9'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, z8V6tSE9Kmk8VtHnQ3.cs High entropy of concatenated method names: 'L5CdGnTvgO', 'B1qdjTHB0f', 'StGdb5CFl1', 'QTXdOyGcHV', 'Mbhdl9RtXq', 'MQebHF3Tss', 'RcAbsdgysV', 'yS1bLCMrSG', 'DL2ba6jfn3', 'QGdbCskcGG'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, F4KCalNgCf4yJJMxmi.cs High entropy of concatenated method names: 'Dispose', 'twNcCypQt4', 'DafxBWJaWx', 'gPi77gulml', 'kHgcUuYmp0', 'BheczKE4aY', 'ProcessDialogKey', 'eaLxhP8s10', 'CnSxcYmxpC', 'bX5xxYUGmi'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, vP9haJacLPGwS8wXSo.cs High entropy of concatenated method names: 'gPCOWRWtVk', 'lfgOrK9oJr', 'UIUOtL9dVg', 'LSmORlUOtj', 'wv7OVqjviB', 'CxQO6fGhUr', 'FeDOnNu062', 'fxsO4sQulE', 'bV8OwM5HIx', 'vbSOQiEOCC'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, IScEM5lWVrKlhRvUrx.cs High entropy of concatenated method names: 'f8ScOHvsyX', 'CQMclHI8US', 'BGhcXUt12V', 'dBGc8wZ9V0', 'CvlcIcyqrA', 'dAucSPgoaM', 'TG85DLHDcuKtyVNtsE', 'vcZjHFlUJjecPQw7Qr', 'LQRccxpRSx', 'YE8c2pOpqN'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, kl5mmcflXMc65HWBwM.cs High entropy of concatenated method names: 'z43ZaJ9ICd', 'MLqZUQGiTl', 'JTXyhUBsFF', 'g6YycB8J3W', 'yXQZfcO3pM', 'A2qZ9ylxBL', 'ueCZYEwZQV', 'qn0Z5nTE3R', 'LyLZe0C7Vu', 'C0fZJQkGX6'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, xjSqLJKLfArB0tpMCnq.cs High entropy of concatenated method names: 'nmiDW2nTaS', 'sfiDrJEhwQ', 'Cn1DthvMD1', 'z6MDR33YNZ', 'EEyDVEGbo9', 'fKvD6tbi1S', 'Q4LDnVd7yr', 'O4ID4ancvc', 'FyIDwTOQrS', 'bfhDQjVN2v'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, FW07bIZxXrtNgWto45.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'M28xCk1chl', 'bqNxUJi5cj', 'WJJxzwRgaO', 'MbB2hbb01E', 'MkL2cbxg9c', 'D0o2x1DIOM', 'fd322XZAgl', 'UEtABwVANYrG79ytDCI'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, P3KWcgP03CKVL94tw3.cs High entropy of concatenated method names: 'Ma7j5hJYxa', 'bg4jepGRwo', 'VJ3jJK1Tbv', 'cc2jMjpa1G', 'sI5jHbrttL', 'in9jsEXufZ', 'FdujLiQkKU', 'TsAja8hst3', 'JuTjCad4G4', 'HyFjUQAgur'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, gvDY8QB1YMmf2dncZA.cs High entropy of concatenated method names: 'rmiTRqpWBA', 'bGQT6mDjw3', 'eAyT4lQquh', 't1dTw5SkW6', 'zSDTIv1EhE', 'mdMTSeNe5W', 'BVATZi9YXr', 'XseTyWURLl', 'yXrTD1SkeZ', 'K7KTFgtkVF'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, RgwcvmFYWkp0fMVSiK.cs High entropy of concatenated method names: 's6Kygo7qZR', 'mPtyjV46c6', 'PgkyThw5Ku', 'CXEybHToy7', 'OkUydA6wws', 'nL5yOCChpk', 'lSOylIrOLn', 'J6Ayqx2RFb', 'rwcyXaT6yK', 'oI1y85gqsv'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, cmsXDtyGVO5FOEpadW.cs High entropy of concatenated method names: 'efLDco7jCA', 'wZgD2xnuvK', 'P1QDNg6tUW', 'hF1DgYAUUC', 'wheDjVOWMF', 'YEBDb14kGl', 'oOODdaG1rr', 'vDMyL5MDrG', 'tG9yaiGFEV', 'FUxyC7dEp3'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, kBPjPwzFF5lF1uwwqm.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b5AD06pxfl', 'dIfDIWQacJ', 'slDDSSAeEk', 'BhIDZNXPn3', 'TyiDy3dtBm', 'NodDDhcuZe', 'vqfDFF7Mel'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, ImIW4rKwf6tqNiiWNR3.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c0xF5Pr4bY', 'cqkFeDi4OX', 'bPBFJvpMuD', 'mpOFMkQjyO', 'moiFH6fUNQ', 'c3YFsfO2uY', 'ECOFLOpiyw'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.cs High entropy of concatenated method names: 'ImZ2Gx7xyZ', 'RqZ2gZFOMD', 'BjJ2jWuEDe', 'NG62TlLE7c', 'tEJ2b8N6le', 'tQu2drm0Ru', 'SIA2OPIVdm', 'Ekw2l5WILM', 'vle2qHvAuh', 'ziC2Xod8tV'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, l8ftM6oDY7WIIMNLOd.cs High entropy of concatenated method names: 'C18bVSpGsQ', 'CNObnY7IF2', 'tC7Tm9QOhW', 'fnkTPZsumm', 'z4eToIHZWL', 'e4STAwWcnm', 'DovTvBY7nj', 'a80TKIynWT', 'gaLTppPsyK', 'mROTugtnN8'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, dyrVmPctQktPSrtNdw.cs High entropy of concatenated method names: 'nXmOgoV2AG', 's4KOTERE7X', 'GLIOdu3IKS', 'qhCdUwvk9e', 'L7jdzOspfT', 'JbbOhtbYGT', 'TofOcBy4yc', 'D9SOx8X0D6', 'F23O21R0Qg', 'BWtONPaY0P'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, l2sJYh5K0ZNHRqvmDU.cs High entropy of concatenated method names: 'e5vtvaU5e', 'L4qRU9qOW', 'flx6D0bih', 'B0GnhQH2d', 'g19wjoHRy', 'NGKQs9iho', 'N7eC3GKT6wBmVGvXic', 'a77CdxkuZemMFuw3Hk', 'nvQyVgcJY', 'KStFRUg8A'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, Qrig4VQZJw0SmAOp59.cs High entropy of concatenated method names: 'be1Iuvnh8E', 'ki1I95fAFH', 'Q2xI5IFFIN', 'gnCIeRwoYG', 'WGFIBrbBjn', 'dXvImN6VJC', 'GfsIPFS2SZ', 'IN2IoimUxq', 'KoLIAwrg6T', 'ejEIv7tweD'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, icguhxMxu9hdKnfBif.cs High entropy of concatenated method names: 'ToString', 'VirSfDdAFk', 'oviSBXFtS6', 'QMJSm4r73L', 'dGmSPc4qsg', 'QdJSocZdGy', 'JjmSA5PvlP', 'KYqSv6E8ty', 'x3iSKgsbe7', 'tQTSpEWubK'
Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, No5wVbGi2FjI1MyTZU.cs High entropy of concatenated method names: 'vWsyiU9gdh', 'AypyB9b2Hq', 'nAgymChUpO', 'dE2yP4wQxG', 'eR2y5v2Jvn', 'MVRyoNRU0u', 'Next', 'Next', 'Next', 'NextBytes'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 5688, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 10A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 2A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 4A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 8AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 9AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 9CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: ACB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 12C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: 12C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6233 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3302 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Window / User API: threadDelayed 1185 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Window / User API: threadDelayed 4034 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 5908 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 3876 Thread sleep count: 1185 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 3876 Thread sleep count: 4034 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99764s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98590s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98358s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -97921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99764 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99653 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98590 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98358 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 97921 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3269575553.00000000063B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3264163729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3264163729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528943 Sample: PURCHASE ORDER-6350-2024.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 24 mail.mbarieservicesltd.com 2->24 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 10 other signatures 2->34 8 PURCHASE ORDER-6350-2024.exe 4 2->8         started        signatures3 process4 file5 22 C:\Users\...\PURCHASE ORDER-6350-2024.exe.log, ASCII 8->22 dropped 36 Adds a directory exclusion to Windows Defender 8->36 12 PURCHASE ORDER-6350-2024.exe 2 8->12         started        16 powershell.exe 23 8->16         started        18 PURCHASE ORDER-6350-2024.exe 8->18         started        signatures6 process7 dnsIp8 26 mail.mbarieservicesltd.com 199.79.62.115, 49707, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->26 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->38 40 Tries to steal Mail credentials (via file / registry access) 12->40 42 Tries to harvest and steal ftp login credentials 12->42 44 Tries to harvest and steal browser information (history, passwords, etc) 12->44 46 Loading BitLocker PowerShell Module 16->46 20 conhost.exe 16->20         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.79.62.115
 mail.mbarieservicesltd.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
mail.mbarieservicesltd.com 199.79.62.115 true