Loading ...

Play interactive tourEdit tour

Analysis Report PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe

Overview

General Information

Sample Name:PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
Analysis ID:356551
MD5:1aee76519a71de3f3f4e7485c2fcc9cb
SHA1:7a0138e465d7dd20a726f3ccebf811b059355dd4
SHA256:95d7e599e9a76497dd73084440554dfcf4a94974d49e88c43f23611d4bce5d12
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "bWUSNsqFz", "URL: ": "http://hWJRHFah1ZO6.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "WYVxdnuS0dPp19", "From: ": "fikriye@turuncoglu.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.913283629.0000000003AD3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.288692c.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.6968.0.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "bWUSNsqFz", "URL: ": "http://hWJRHFah1ZO6.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "WYVxdnuS0dPp19", "From: ": "fikriye@turuncoglu.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://hWJRHFah1ZO6.com
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 77.88.21.158:587
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 77.88.21.158:587
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://NfuOAc.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.646241525.0000000005905000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912510671.0000000002B38000.00000004.00000001.sdmp, PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.871545714.00000000009D4000.00000004.00000001.sdmpString found in binary or memory: http://hWJRHFah1ZO6.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.cert
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912580609.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.651039087.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaa;
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.646314068.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.como
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648686218.0000000005906000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648686218.0000000005906000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648047854.000000000590E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd6
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmp, PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, LogIn.csLong String: Length: 13656
                      Source: 0.0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csLong String: Length: 13656
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A00400_2_009A0040
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A22900_2_009A2290
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A92B40_2_009A92B4
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009ADFE80_2_009ADFE8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A6AC00_2_009A6AC0
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A6B200_2_009A6B20
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D823580_2_00D82358
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D808190_2_00D80819
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D990700_2_00D99070
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D945480_2_00D94548
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D92BF80_2_00D92BF8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D94B9A0_2_00D94B9A
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D9D4D00_2_00D9D4D0
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D998B80_2_00D998B8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D9FC400_2_00D9FC40
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D911080_2_00D91108
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D997B80_2_00D997B8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1D0580_2_08A1D058
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1A3500_2_08A1A350
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1A6980_2_08A1A698
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1AF680_2_08A1AF68
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A115F00_2_08A115F0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeBinary or memory string: OriginalFilename vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.910655174.0000000000940000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924318190.0000000008990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000000.642824419.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCausalitySynchronousWork.exe6 vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.910711573.0000000000980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJjuAGuEggFLyNdgxhZLJIKFOcxph.exe4 vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeBinary or memory string: OriginalFilenameCausalitySynchronousWork.exe6 vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\FgrzrOVaPeBghSSqdSW
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009ABCDA push 8BFFFFFFh; retf 0_2_009ABCE8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1B980 push esp; ret 0_2_08A1B981
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.51402994346
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.288692c.2.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWindow / User API: threadDelayed 440Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWindow / User API: threadDelayed 9418Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe TID: 6972Thread sleep time: -99909s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe TID: 1368Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.923952005.0000000008750000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A5428 LdrInitializeThunk,0_2_009A5428
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.913283629.0000000003AD3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.288692c.2.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.913283629.0000000003AD3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection1Virtualization/Sandbox Evasion13OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information21NTDSProcess Discovery2Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe28%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://crls.yandex0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://yandex.crl.certum.0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fonts.como0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://repository.cert0%Avira URL Cloudsafe
                      http://www.sajatypeworks.come0%URL Reputationsafe
                      http://www.sajatypeworks.come0%URL Reputationsafe
                      http://www.sajatypeworks.come0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.sajatypeworks.comt0%URL Reputationsafe
                      http://www.sajatypeworks.comt0%URL Reputationsafe
                      http://www.sajatypeworks.comt0%URL Reputationsafe
                      http://www.fontbureau.comdiaa;0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://hWJRHFah1ZO6.com0%Avira URL Cloudsafe
                      http://en.w0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://NfuOAc.com0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://yandex.ocsp-responder.com030%URL Reputationsafe
                      http://yandex.ocsp-responder.com030%URL Reputationsafe
                      http://yandex.ocsp-responder.com030%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cnd60%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.htmlr0%Avira URL Cloudsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.yandex.ru
                      77.88.21.158
                      truefalse
                        high
                        smtp.yandex.com
                        unknown
                        unknownfalse
                          high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://hWJRHFah1ZO6.comtrue
                          • Avira URL Cloud: safe
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://www.fontbureau.com/designersGPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designers/?PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bThePO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers?PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                high
                                http://yandex.crl.certum.pl/ycasha2.crl0qPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.tiro.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.goodfont.co.krPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://crls.yandexPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.sajatypeworks.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmp, PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://subca.ocsp-certum.com0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.typography.netDPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://repository.certum.pl/ca.cer09PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.founder.com.cn/cn/cThePO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://fontfabrik.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.comgritaPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://subca.ocsp-certum.com01PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://yandex.crl.certum.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.galapagosdesign.com/DPleasePO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fonts.comoPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.646314068.000000000591B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fonts.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleasePO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://repository.certPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.sajatypeworks.comePO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sakkal.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.certum.pl/CPS0PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                            high
                                            http://repository.certum.pl/ycasha2.cer0PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://DynDns.comDynDNSPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://repository.certum.pl/ctnca.cer09PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.sajatypeworks.comtPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.comdiaa;PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    low
                                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://crl.certum.pl/ctnca.crl0kPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://www.certum.pl/CPS0PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://en.wPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.646241525.0000000005905000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://smtp.yandex.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912580609.0000000002B81000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://NfuOAc.comPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.carterandcone.comlPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://yandex.ocsp-responder.com03PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cn/PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648686218.0000000005906000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cnPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648686218.0000000005906000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/frere-user.htmlPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://crls.yandex.net/certum/ycasha2.crl0-PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.founder.com.cn/cnd6PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648047854.000000000590E000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.jiyu-kobo.co.jp/PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.ascendercorp.com/typedesigners.htmlrPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.651039087.000000000593D000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.fontbureau.comoPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers8PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://crl.certum.pl/ca.crl0hPO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpfalse
                                                                    high

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    77.88.21.158
                                                                    unknownRussian Federation
                                                                    13238YANDEXRUfalse

                                                                    General Information

                                                                    Joe Sandbox Version:31.0.0 Emerald
                                                                    Analysis ID:356551
                                                                    Start date:23.02.2021
                                                                    Start time:10:00:05
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 6m 57s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Sample file name:PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:16
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                    EGA Information:Failed
                                                                    HDC Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 26
                                                                    • Number of non-executed functions: 9
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .exe
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 51.11.168.160, 13.107.3.254, 13.107.246.254, 13.64.90.137, 104.43.193.48, 92.122.145.220, 13.88.21.125, 40.88.32.150, 52.147.198.201, 51.104.139.180, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247
                                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356551/sample/PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    10:01:00API Interceptor767x Sleep call for process: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    77.88.21.158pass.exeGet hashmaliciousBrowse
                                                                      nXKdiUgIYy.exeGet hashmaliciousBrowse
                                                                        x4cXV3784J.exeGet hashmaliciousBrowse
                                                                          Request For Quotation #D22022021_pdf.exeGet hashmaliciousBrowse
                                                                            RFQ_PDRVK2200248_00667_PDF.exeGet hashmaliciousBrowse
                                                                              emI0MqOvFw.exeGet hashmaliciousBrowse
                                                                                ZnsXrCAriL.exeGet hashmaliciousBrowse
                                                                                  zyp9gbDQHw.exeGet hashmaliciousBrowse
                                                                                    DHL Shipment Notification.PDF.exeGet hashmaliciousBrowse
                                                                                      MI3eskSuv2.exeGet hashmaliciousBrowse
                                                                                        NUANG KONG-ON2343020-146377_PDF.exeGet hashmaliciousBrowse
                                                                                          NUANG KONG-ON2343020-146377_PDF.exeGet hashmaliciousBrowse
                                                                                            feb 16 processed.xlsxGet hashmaliciousBrowse
                                                                                              IMG_Catalogue Document.exeGet hashmaliciousBrowse
                                                                                                PO#THE786YT_pdf.exeGet hashmaliciousBrowse
                                                                                                  BL_No#ONEYJKTAC6384600.exeGet hashmaliciousBrowse
                                                                                                    DHL Delivery Documents.exeGet hashmaliciousBrowse
                                                                                                      Scan copy.exeGet hashmaliciousBrowse
                                                                                                        jmsg.exeGet hashmaliciousBrowse
                                                                                                          DOC11022012.exeGet hashmaliciousBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            smtp.yandex.rupass.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            nXKdiUgIYy.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            x4cXV3784J.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            Request For Quotation #D22022021_pdf.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            RFQ_PDRVK2200248_00667_PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            emI0MqOvFw.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            ZnsXrCAriL.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            zyp9gbDQHw.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            DHL Shipment Notification.PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            MI3eskSuv2.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            NUANG KONG-ON2343020-146377_PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            NUANG KONG-ON2343020-146377_PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            feb 16 processed.xlsxGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            IMG_Catalogue Document.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            PO#THE786YT_pdf.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            BL_No#ONEYJKTAC6384600.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            DHL Delivery Documents.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            Scan copy.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            jmsg.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            DOC11022012.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            YANDEXRUpass.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            nXKdiUgIYy.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            x4cXV3784J.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            Request For Quotation #D22022021_pdf.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            RFQ_PDRVK2200248_00667_PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            emI0MqOvFw.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            ZnsXrCAriL.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            zyp9gbDQHw.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            DHL Shipment Notification.PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            MI3eskSuv2.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            NUANG KONG-ON2343020-146377_PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            NUANG KONG-ON2343020-146377_PDF.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            feb 16 processed.xlsxGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            IMG_Catalogue Document.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            PO#THE786YT_pdf.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            BL_No#ONEYJKTAC6384600.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            DHL Delivery Documents.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            Scan copy.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            jmsg.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158
                                                                                                            DOC11022012.exeGet hashmaliciousBrowse
                                                                                                            • 77.88.21.158

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            No created / dropped files found

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.499133080349246
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            File name:PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                                                                                                            File size:545280
                                                                                                            MD5:1aee76519a71de3f3f4e7485c2fcc9cb
                                                                                                            SHA1:7a0138e465d7dd20a726f3ccebf811b059355dd4
                                                                                                            SHA256:95d7e599e9a76497dd73084440554dfcf4a94974d49e88c43f23611d4bce5d12
                                                                                                            SHA512:8f039b136c2c49adee9aaf92b881702a81dfba08a5ae47226d5b41c267fc475471b4d7ecf2b3c8ac06234f8a97c738ac026d2f298e275c1f759609b578a7a4b3
                                                                                                            SSDEEP:12288:MUnrX5P0QUsmn1vCn3AhvNKwBEw88+dtEYbDYBNeLrdqWrlFCP4JM:brX5PsseEn0vmwSXYBNe0WxYcM
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o4`..............P..<...........Z... ...`....@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x485a9e
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                            Time Stamp:0x60346F84 [Tue Feb 23 02:59:16 2021 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x85a4c0x4f.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x1018.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000x83aa40x83c00False0.779986213235data7.51402994346IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x860000x10180x1200False0.360243055556data4.71646584206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                            RT_VERSION0x860900x364data
                                                                                                            RT_MANIFEST0x864040xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Version Infos

                                                                                                            DescriptionData
                                                                                                            Translation0x0000 0x04b0
                                                                                                            LegalCopyrightCopyright 2018
                                                                                                            Assembly Version1.0.0.0
                                                                                                            InternalNameCausalitySynchronousWork.exe
                                                                                                            FileVersion1.0.0.0
                                                                                                            CompanyName
                                                                                                            LegalTrademarks
                                                                                                            Comments
                                                                                                            ProductNameRegisterVB
                                                                                                            ProductVersion1.0.0.0
                                                                                                            FileDescriptionRegisterVB
                                                                                                            OriginalFilenameCausalitySynchronousWork.exe

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Feb 23, 2021 10:02:42.198137045 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.278058052 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.278263092 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.495795012 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.496234894 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.576133966 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.576175928 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.577894926 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.657800913 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.703923941 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.756781101 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.837865114 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.837910891 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.837932110 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.837953091 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.838053942 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.838130951 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.895100117 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:42.975493908 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.016398907 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.314435005 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.394462109 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.396380901 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.476207972 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.477214098 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.572707891 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.573838949 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.662101984 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.662761927 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.750448942 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.751246929 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.831873894 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.834738016 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.835112095 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.835944891 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.836241007 CET49766587192.168.2.477.88.21.158
                                                                                                            Feb 23, 2021 10:02:43.914947987 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:43.916039944 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:44.468914032 CET5874976677.88.21.158192.168.2.4
                                                                                                            Feb 23, 2021 10:02:44.516482115 CET49766587192.168.2.477.88.21.158

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Feb 23, 2021 10:00:43.904242992 CET5372353192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:43.953201056 CET53537238.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:44.008800983 CET6464653192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:44.057655096 CET53646468.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:44.253242970 CET6529853192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:44.301928997 CET53652988.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:44.391328096 CET5912353192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:44.440063953 CET53591238.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:46.598134041 CET5453153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:46.649734020 CET53545318.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:47.582580090 CET4971453192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:47.633573055 CET53497148.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:48.228200912 CET5802853192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:48.286237955 CET53580288.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:49.299523115 CET5309753192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:49.351027966 CET53530978.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:50.944117069 CET4925753192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:50.992784023 CET53492578.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:52.594340086 CET6238953192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:52.655049086 CET53623898.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:54.342374086 CET4991053192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:54.391372919 CET53499108.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:55.159972906 CET5585453192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:55.211529016 CET53558548.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:56.114887953 CET6454953192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:56.174813986 CET53645498.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:57.107119083 CET6315353192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:57.156094074 CET53631538.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:58.200087070 CET5299153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:58.248769999 CET53529918.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:00:59.456084967 CET5370053192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:00:59.515988111 CET53537008.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:00.498574018 CET5172653192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:00.550203085 CET53517268.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:01.660548925 CET5679453192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:01.709533930 CET53567948.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:02.429672956 CET5653453192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:02.478437901 CET53565348.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:03.334944963 CET5662753192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:03.387681007 CET53566278.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:04.456754923 CET5662153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:04.505563974 CET53566218.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:05.337758064 CET6311653192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:05.387083054 CET53631168.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:07.280673027 CET6407853192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:07.332103014 CET53640788.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:08.597980976 CET6480153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:08.655253887 CET53648018.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:20.470321894 CET6172153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:20.518882990 CET53617218.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:36.786833048 CET5125553192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:36.853599072 CET53512558.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:37.528295040 CET6152253192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:37.602746010 CET53615228.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:38.140194893 CET5233753192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:38.203047037 CET53523378.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:38.570153952 CET5504653192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:38.638699055 CET53550468.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:38.725440025 CET4961253192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:38.783823967 CET53496128.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:39.243807077 CET4928553192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:39.305532932 CET53492858.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:39.881556988 CET5060153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:39.905564070 CET6087553192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:39.941510916 CET53506018.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:39.964632034 CET53608758.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:40.666313887 CET5644853192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:40.724735022 CET53564488.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:42.018938065 CET5917253192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:42.076061964 CET53591728.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:43.104039907 CET6242053192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:43.160797119 CET53624208.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:43.684237003 CET6057953192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:43.733505011 CET53605798.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:54.736334085 CET5018353192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:54.784964085 CET53501838.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:55.000256062 CET6153153192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:55.072727919 CET53615318.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:01:57.758444071 CET4922853192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:01:57.817082882 CET53492288.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:02:31.309809923 CET5979453192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:02:31.358388901 CET53597948.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:02:33.507487059 CET5591653192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:02:33.572231054 CET53559168.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:02:41.925867081 CET5275253192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:02:41.985615015 CET53527528.8.8.8192.168.2.4
                                                                                                            Feb 23, 2021 10:02:42.019001007 CET6054253192.168.2.48.8.8.8
                                                                                                            Feb 23, 2021 10:02:42.075989008 CET53605428.8.8.8192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                            Feb 23, 2021 10:02:41.925867081 CET192.168.2.48.8.8.80x13a7Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                            Feb 23, 2021 10:02:42.019001007 CET192.168.2.48.8.8.80x411Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                            Feb 23, 2021 10:02:41.985615015 CET8.8.8.8192.168.2.40x13a7No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                            Feb 23, 2021 10:02:41.985615015 CET8.8.8.8192.168.2.40x13a7No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                            Feb 23, 2021 10:02:42.075989008 CET8.8.8.8192.168.2.40x411No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                            Feb 23, 2021 10:02:42.075989008 CET8.8.8.8192.168.2.40x411No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                            SMTP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                            Feb 23, 2021 10:02:42.495795012 CET5874976677.88.21.158192.168.2.4220 vla4-d1b041059520.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                            Feb 23, 2021 10:02:42.496234894 CET49766587192.168.2.477.88.21.158EHLO 928100
                                                                                                            Feb 23, 2021 10:02:42.576175928 CET5874976677.88.21.158192.168.2.4250-vla4-d1b041059520.qloud-c.yandex.net
                                                                                                            250-8BITMIME
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 42991616
                                                                                                            250-STARTTLS
                                                                                                            250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                            250-DSN
                                                                                                            250 ENHANCEDSTATUSCODES
                                                                                                            Feb 23, 2021 10:02:42.577894926 CET49766587192.168.2.477.88.21.158STARTTLS
                                                                                                            Feb 23, 2021 10:02:42.657800913 CET5874976677.88.21.158192.168.2.4220 Go ahead

                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Start time:10:00:52
                                                                                                            Start date:23/02/2021
                                                                                                            Path:C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe'
                                                                                                            Imagebase:0x3e0000
                                                                                                            File size:545280 bytes
                                                                                                            MD5 hash:1AEE76519A71DE3F3F4E7485C2FCC9CB
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.913283629.0000000003AD3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 47973c2d61f52801c083226881dc50e0d89aba78a61e41ee6a9c63f2e072dd9b
                                                                                                              • Instruction ID: 3c029e61ab999922f837d70a45e25798f8a7c0cdea5c6e865114e7f613edbd08
                                                                                                              • Opcode Fuzzy Hash: 47973c2d61f52801c083226881dc50e0d89aba78a61e41ee6a9c63f2e072dd9b
                                                                                                              • Instruction Fuzzy Hash: 5C734F31D14B198ECB11EF68C8946A9F7B1FF99304F15C79AE049A7221EB70AAC4CF51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a666b919c7d70bf1895ca26721930e04e682200188f8a0a08ceb01390d929bdc
                                                                                                              • Instruction ID: 9d238c4ba07cdc3c994c7b0fd4c70166357397dcf675d9172e21f4ba358680cf
                                                                                                              • Opcode Fuzzy Hash: a666b919c7d70bf1895ca26721930e04e682200188f8a0a08ceb01390d929bdc
                                                                                                              • Instruction Fuzzy Hash: 41530D31D14B1A8ECB21EF68C884699F7B1FF99304F15C79AE45867221EB70AAC4CF51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d30f85bc5c93d4fda5864a390e7b5070bf8316a6ae5b95c549b7f7b20f83fc2b
                                                                                                              • Instruction ID: ea7ff3d0bb443307dd91340095a52e30c7e6489ef2cbedbb84aa155af121c281
                                                                                                              • Opcode Fuzzy Hash: d30f85bc5c93d4fda5864a390e7b5070bf8316a6ae5b95c549b7f7b20f83fc2b
                                                                                                              • Instruction Fuzzy Hash: 25A27C31E042198FDB14EF78C9557ADB7F2AF89304F1185A9E50AAB351EF349E85CB80
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911455282.0000000000D80000.00000040.00000001.sdmp, Offset: 00D80000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 96fdd77cd63041ce38a180da1753e3631f90097729c1584f9874b8c2b5a2d3ab
                                                                                                              • Instruction ID: 63856b68637686eb3fbbd357a64ff54b394e721eaa3f56cc92f0b921251518b9
                                                                                                              • Opcode Fuzzy Hash: 96fdd77cd63041ce38a180da1753e3631f90097729c1584f9874b8c2b5a2d3ab
                                                                                                              • Instruction Fuzzy Hash: 98F16E30A00209CFEB14EFA9C995BADBBF1FF48314F198568E405AB265DB74E945CF60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 471f219ce3e8e961cf335dce4c760fd608dfdb52441aa6e0c6c4f7e00f8d1e02
                                                                                                              • Instruction ID: 576ab0e9017c858812747861cd48e92af71ee92fb1c81935a84ef4f335d0739f
                                                                                                              • Opcode Fuzzy Hash: 471f219ce3e8e961cf335dce4c760fd608dfdb52441aa6e0c6c4f7e00f8d1e02
                                                                                                              • Instruction Fuzzy Hash: EE51B432B002059FCB04EFB4D554AAEB7F6EF89304B248569E5069B352EF34E904CBA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12e4efc6f884a68fc0e6b860dbbd7a6598389a6dbea0475ec2bc3a18f48731b3
                                                                                                              • Instruction ID: 080dce4a4545928fe3eee824d59f95f022ffd93735055ac3122d15361f580e18
                                                                                                              • Opcode Fuzzy Hash: 12e4efc6f884a68fc0e6b860dbbd7a6598389a6dbea0475ec2bc3a18f48731b3
                                                                                                              • Instruction Fuzzy Hash: 47B24930A002048FDB64EB78C598BADB7F6EF8A315F148569E41ADB392DB35DC45CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 38071aa864304b5a08e147197b2afae45b2f811facd104c5352d24341221d89b
                                                                                                              • Instruction ID: e1277381376229b0b7f88048f7a85497d375f43d2355309b7dfed1b4b7249898
                                                                                                              • Opcode Fuzzy Hash: 38071aa864304b5a08e147197b2afae45b2f811facd104c5352d24341221d89b
                                                                                                              • Instruction Fuzzy Hash: 7982D330B042449FEB24DBB8C894BAEBBB6EF86304F148469E116DB392DB74DC45C791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b0d6c9c41cbdc680e4857b55e6f2039920147e727ebd7e7eac007f70561298a
                                                                                                              • Instruction ID: b383a703ea4f7d8fd964d63c3824673bbe3a964cc57095aa8e849bb63ba6e3c6
                                                                                                              • Opcode Fuzzy Hash: 0b0d6c9c41cbdc680e4857b55e6f2039920147e727ebd7e7eac007f70561298a
                                                                                                              • Instruction Fuzzy Hash: 7952AF31B083458FDB15AB74C85476EBBF2AF89304F1484AAD549DB3A2EF388D46CB51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8f7bc7c31ef2f6cee9c1c38dc66cd14345173df368d21fb9986d2af60a5bd44f
                                                                                                              • Instruction ID: 315a5b7724d37c85229936703b3f509e095f08a1db1d95f63c5475165bad7c7a
                                                                                                              • Opcode Fuzzy Hash: 8f7bc7c31ef2f6cee9c1c38dc66cd14345173df368d21fb9986d2af60a5bd44f
                                                                                                              • Instruction Fuzzy Hash: 3E42C330A042448FEB24EBB8C8947ADBBB6EF86304F14C169D0199F396CB75DC45CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6dcca2dc2b43564b0b07aa4d5f084f8f25aab6cb71d529b7c494761987549d22
                                                                                                              • Instruction ID: 71b0a80508184769bc189565b35bf912f59df2e5e6eb07a428115df7b4e4fbcc
                                                                                                              • Opcode Fuzzy Hash: 6dcca2dc2b43564b0b07aa4d5f084f8f25aab6cb71d529b7c494761987549d22
                                                                                                              • Instruction Fuzzy Hash: FD228F31B042459FDF15EBB8C864B6EBBF2AF89300F1984A9E405DB396DB34DC458B61
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16e8b3a14b827441e19f230d1a4388af8d98d7a6b333635257c2b6a5d038f6d3
                                                                                                              • Instruction ID: 542da616ccebb87f2538c69dc60df014034df0acf9b265b12f48d31547951659
                                                                                                              • Opcode Fuzzy Hash: 16e8b3a14b827441e19f230d1a4388af8d98d7a6b333635257c2b6a5d038f6d3
                                                                                                              • Instruction Fuzzy Hash: A8D15A71E00219CFCF14DFA8C484AAEFBF2EF88315F15856AE515AB351CB34A946CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 404d15cf2bf88ef2cac94aad7e6fe7a5fac1fbf1fb3f14471468f7607bd4274f
                                                                                                              • Instruction ID: 341fb1e1fa105784cb11c56d0d2f383f13c809684da752ebce44d3738a647936
                                                                                                              • Opcode Fuzzy Hash: 404d15cf2bf88ef2cac94aad7e6fe7a5fac1fbf1fb3f14471468f7607bd4274f
                                                                                                              • Instruction Fuzzy Hash: 6BB18C71E01619CFDF10CFA9D8857DEBBF2AF88305F148129D815E7694EB34A886CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 344fc04120730ac92cde9d8a6a2f1abd580f3820b14f300246ffe67a6bf1fa5a
                                                                                                              • Instruction ID: e0bc8b6711319bba9ff80b975070c7ee306c72344375c3b26c96319d2374ae04
                                                                                                              • Opcode Fuzzy Hash: 344fc04120730ac92cde9d8a6a2f1abd580f3820b14f300246ffe67a6bf1fa5a
                                                                                                              • Instruction Fuzzy Hash: D6B17D70E00209CFDF10CFA9C8917DDBBF2AF88765F148129D815E7694DB789886CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8a8981b8389f17aa58ea8e926a202ef409f271e8049b46576548f6fc592e7d68
                                                                                                              • Instruction ID: 23a857f3f10298c5322e06a46dcb2f95cf1a22ca1639892a080bbf71758bc8d9
                                                                                                              • Opcode Fuzzy Hash: 8a8981b8389f17aa58ea8e926a202ef409f271e8049b46576548f6fc592e7d68
                                                                                                              • Instruction Fuzzy Hash: 73919F70E01219CFDF10CFA9C9857DEBBF2AF88315F14812DE415A7694DB78A846CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 432e3cb7330d181cfbd1cc5b539f17968ab9ecdac430aaff00ece15118a79f05
                                                                                                              • Instruction ID: d5104641cf058c968b90da2d43ed907470d2222cd2915c2b89baf5df05cedf9f
                                                                                                              • Opcode Fuzzy Hash: 432e3cb7330d181cfbd1cc5b539f17968ab9ecdac430aaff00ece15118a79f05
                                                                                                              • Instruction Fuzzy Hash: 73615C30A003059FDF14EBB4E6597AEBBF6AF88315F258429D402A7351DF799845CBA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: fd1a3fdd817d9d681baf1145cc7411bed845798e6335b930cd9eacfa3322e1c2
                                                                                                              • Instruction ID: ae0938d6e4aceef081e285035462453bc1d4d2191ac5080f427e0525f9ba205f
                                                                                                              • Opcode Fuzzy Hash: fd1a3fdd817d9d681baf1145cc7411bed845798e6335b930cd9eacfa3322e1c2
                                                                                                              • Instruction Fuzzy Hash: 1451C531B043059FCB05EB74D954AAE7BF6EF85304F24856AE506DB392EF34D9058BA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: 7a551fe363642dd2aba0baad3ec8422985aad8f69f41dabeff7bb7c21343e310
                                                                                                              • Instruction ID: ad38639a90ab4b6f5127d17dacc210e0b781f705b6abc7c9dcdb4acbfa8b7fa4
                                                                                                              • Opcode Fuzzy Hash: 7a551fe363642dd2aba0baad3ec8422985aad8f69f41dabeff7bb7c21343e310
                                                                                                              • Instruction Fuzzy Hash: 183153B1D202499FDF14CFA9D88579EFBB1BB09310F14812EE816A7380D7788442CF91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: 1237c1872436b895ff548249bea8cabdec562d65bdddf17c2b381e6fa8558db5
                                                                                                              • Instruction ID: 77b6078dfc5b6a12df4e77bf073edae688f173a365a14afb47c517598e7e3e36
                                                                                                              • Opcode Fuzzy Hash: 1237c1872436b895ff548249bea8cabdec562d65bdddf17c2b381e6fa8558db5
                                                                                                              • Instruction Fuzzy Hash: FD3151B1D102099FDF14CFA9C88579EFBB1EB09301F10852EE816A7380D7789881CF95
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00D9C829
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3660427363-0
                                                                                                              • Opcode ID: 2863c0121aa24dac7726dfad7e17d03ff9703910452166a3e872730d1e75cd69
                                                                                                              • Instruction ID: 1cc38d062e56e6761b62a202f1d141ce9324c4951706dce8e4bc84a946bcdd5c
                                                                                                              • Opcode Fuzzy Hash: 2863c0121aa24dac7726dfad7e17d03ff9703910452166a3e872730d1e75cd69
                                                                                                              • Instruction Fuzzy Hash: 7E31FFB1D112589FCB20CFAAC884A8EFFF5BF49310F55802AE819AB350D7749945CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00D9C829
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3660427363-0
                                                                                                              • Opcode ID: f74021e1f7dc303863c17996e8714807176bd8631be37c128d77548a631649e1
                                                                                                              • Instruction ID: f86a5584f7e7bd724f0bbc12f3840e99344e826627ca3e4d5f85199df51da757
                                                                                                              • Opcode Fuzzy Hash: f74021e1f7dc303863c17996e8714807176bd8631be37c128d77548a631649e1
                                                                                                              • Instruction Fuzzy Hash: BD31EEB1D10258DFCB20CFAAD984A9EFBF5BF48314F55802AE819AB310D7749905CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00D9C5BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: 008b82528a12ec3e288f6b7dcfb66ec8c1a38a7ab3b2fca6c82813d66d3be371
                                                                                                              • Instruction ID: 28711c5782cbcc197f8fc5ae38e5c4db39de240cf75127b25643ff64f5c05ef0
                                                                                                              • Opcode Fuzzy Hash: 008b82528a12ec3e288f6b7dcfb66ec8c1a38a7ab3b2fca6c82813d66d3be371
                                                                                                              • Instruction Fuzzy Hash: 243110B0C042899FDB10CFA9C584A8EFFF5AF49304F29816AE409AB341C7759945CBA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00D9C5BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: b5ccefc21cf05cf6de5ad428a0f8105a5c2c8081bad2fb1db217e0b5c2e72c3a
                                                                                                              • Instruction ID: 799d010eaf20a146aa8a38467e173e20be207399cd764b1368c68d9ade948844
                                                                                                              • Opcode Fuzzy Hash: b5ccefc21cf05cf6de5ad428a0f8105a5c2c8081bad2fb1db217e0b5c2e72c3a
                                                                                                              • Instruction Fuzzy Hash: C731FEB1D002499FDB10CF99C584B8EFFF5BF49314F29816AE809AB341C775A985CBA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 00D80577
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911455282.0000000000D80000.00000040.00000001.sdmp, Offset: 00D80000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: a67f81cf6a29dc2a14a7bd084029b785b3047509987a42570e8f47397e9ed25e
                                                                                                              • Instruction ID: c5c69029bfbec9e5ff69f4b6481200cbcec9f6efe54fe9be4afa702675336804
                                                                                                              • Opcode Fuzzy Hash: a67f81cf6a29dc2a14a7bd084029b785b3047509987a42570e8f47397e9ed25e
                                                                                                              • Instruction Fuzzy Hash: 952187B1C0425A9FDB10DFAAD844BEEBBB0EF49324F15816AD914A7340D7389949CFA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 1a0c7ea3592f14e153211bd09150976e720c06f3c427908f620ddee94b234927
                                                                                                              • Instruction ID: 61f6167d03de6574756029fe5af2a90a8eca972c3e2726cca9aa25b9c584a7a0
                                                                                                              • Opcode Fuzzy Hash: 1a0c7ea3592f14e153211bd09150976e720c06f3c427908f620ddee94b234927
                                                                                                              • Instruction Fuzzy Hash: F5216D71A00308DFCB14EFB4E558AADBBB2FF88314F25856EE041A7250C7359889CF60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 00D80577
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911455282.0000000000D80000.00000040.00000001.sdmp, Offset: 00D80000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: a84b671a3d5395fa35335519e0932df219733d98dd09f414313f5dbe51a4eb93
                                                                                                              • Instruction ID: 5f79ca6f618c66ef3060b7c0ecf2a09a068a2bc09192ffe52a505aaa14e0d4fd
                                                                                                              • Opcode Fuzzy Hash: a84b671a3d5395fa35335519e0932df219733d98dd09f414313f5dbe51a4eb93
                                                                                                              • Instruction Fuzzy Hash: 3E1112B1C006199FDB10CF9AD844BDEFBF4AB48324F15816AE828A7240D378A944CFE1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,08A1F6CF), ref: 08A1F747
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 618ad8ce208674eeb841bc0ef8d0aee60e03adcce699246a87bf2cf76c2ff8c3
                                                                                                              • Instruction ID: d012f806850d20a6f744dc2bbd9f924f331a03b4f1ad21f7d0453272ae5b1516
                                                                                                              • Opcode Fuzzy Hash: 618ad8ce208674eeb841bc0ef8d0aee60e03adcce699246a87bf2cf76c2ff8c3
                                                                                                              • Instruction Fuzzy Hash: 061155B18042488FCB10DF9AD884BDEFBF4EB49224F10841AE529A3700C778A940CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Non-executed Functions

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: l
                                                                                                              • API String ID: 0-2517025534
                                                                                                              • Opcode ID: c088a8c3cf6192e1c365b502c17389f42c6204589d3d271ca9fb889206444369
                                                                                                              • Instruction ID: 3bccf1a440d0e9efc3bb4cdf217602b8075c0108cd1bef005a82ac80c0ba72bd
                                                                                                              • Opcode Fuzzy Hash: c088a8c3cf6192e1c365b502c17389f42c6204589d3d271ca9fb889206444369
                                                                                                              • Instruction Fuzzy Hash: 95928E30B042048FDB14EBB8D9547ADBBF2AF89305F2584A9E409DB396DB35DD46CB60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f7563fa0fcdfffb00c74d70b763c73ee71f6c81c1ce3da3213c2e2d37aac58e2
                                                                                                              • Instruction ID: 88107b23c40111376a13a2610100746159e0fee992b11899ef552afb8814444a
                                                                                                              • Opcode Fuzzy Hash: f7563fa0fcdfffb00c74d70b763c73ee71f6c81c1ce3da3213c2e2d37aac58e2
                                                                                                              • Instruction Fuzzy Hash: 01031C71D10A198ECB14EF68C88469DF7B1FF99310F15C6DAE449AB211EB70AAC4CF91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58ee912e8e0ceca71901da5c44d2d6c8241f98056b39ded1cbdfec871f019252
                                                                                                              • Instruction ID: 89d8fed648ed74263a130198d57152ea9de6017800fb3aad50652c3e31cdd642
                                                                                                              • Opcode Fuzzy Hash: 58ee912e8e0ceca71901da5c44d2d6c8241f98056b39ded1cbdfec871f019252
                                                                                                              • Instruction Fuzzy Hash: 30922B70E006198FCB54EF69C99069DF7F1EF89310F1586EAD409AB251EB30AE85CF91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4f4d23949b1f8732289e86508df79ff651a76711ce913293a3472f73b556e63b
                                                                                                              • Instruction ID: 2d16782d24acd45a017b7c98dfe25d8eaf4f6fdad412ee823e90dd94655b42d6
                                                                                                              • Opcode Fuzzy Hash: 4f4d23949b1f8732289e86508df79ff651a76711ce913293a3472f73b556e63b
                                                                                                              • Instruction Fuzzy Hash: C0729D34B042158FCB19EB74D998BADBBB2EF89305F1484A9D409DB352DF349D428F91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab92d6540f096c5ba8c9cb1b6886a7ef8255e51ccdc8b36f0203e14cb7b08d44
                                                                                                              • Instruction ID: a414a5dba16e10e64cbd1d818ff6898a9a02974ae99757f1aeb9a437f10d0dc0
                                                                                                              • Opcode Fuzzy Hash: ab92d6540f096c5ba8c9cb1b6886a7ef8255e51ccdc8b36f0203e14cb7b08d44
                                                                                                              • Instruction Fuzzy Hash: 3B42E435F042468FDF14ABB8D894AAEBBB2EF85314F15806AD446DB3A2DB34DC05C761
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.910738968.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3a67d7ab213587a2be9fb769e10b2162395196187a4b2d52262293ba4581034
                                                                                                              • Instruction ID: 3a5aef62a618c28ad5466e344772f2dc8f61dc7415206a2714d363d219fd2be8
                                                                                                              • Opcode Fuzzy Hash: d3a67d7ab213587a2be9fb769e10b2162395196187a4b2d52262293ba4581034
                                                                                                              • Instruction Fuzzy Hash: 98629E35B042158FCB19EB74DA98BADB7B2EF89305F1484A8D40ADB352DF349D818F90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911455282.0000000000D80000.00000040.00000001.sdmp, Offset: 00D80000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c85ea20034d2cbf5d93f17b33787402de97ee097f02539b5f7ab38654c6825f8
                                                                                                              • Instruction ID: fee74ed78f66778bcf246aa8c75ff4604905ecb13fdb43201f8b2e1b5519c804
                                                                                                              • Opcode Fuzzy Hash: c85ea20034d2cbf5d93f17b33787402de97ee097f02539b5f7ab38654c6825f8
                                                                                                              • Instruction Fuzzy Hash: E7C1C830B08219CFDF986FA6C8257ADBEF2EF88704F194529D486A6A54CB34CC85D771
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.911475505.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac50f53fa876bbc3078763c7e69fe599ddbf38d25279dad3dd6503e25b02a38e
                                                                                                              • Instruction ID: 08ac848ceeec6f27a53247b465ff2e5914d3cdc5257585e2ba43d311ba072356
                                                                                                              • Opcode Fuzzy Hash: ac50f53fa876bbc3078763c7e69fe599ddbf38d25279dad3dd6503e25b02a38e
                                                                                                              • Instruction Fuzzy Hash: C0919C31B002059BEF14AF7489597AE76E6EF89750F148538EA06EB392DF38DD0587A0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.924446800.0000000008A10000.00000040.00000001.sdmp, Offset: 08A10000, based on PE: false
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 458463d3ec6cce00112458fde6bb50a8e6b74989a70c7c19b53512031f45f28b
                                                                                                              • Instruction ID: 4ad3a7143c86ace97e1bf29383d0a671dce8bac120c936f2778fb4a97b632c3d
                                                                                                              • Opcode Fuzzy Hash: 458463d3ec6cce00112458fde6bb50a8e6b74989a70c7c19b53512031f45f28b
                                                                                                              • Instruction Fuzzy Hash: FF81A275F042148BDF08EFB4986577E7AB3AFC8705B19892DE606E7398DF3488428791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%