Loading ...

Play interactive tourEdit tour

Analysis Report PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe

Overview

General Information

Sample Name:PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
Analysis ID:356551
MD5:1aee76519a71de3f3f4e7485c2fcc9cb
SHA1:7a0138e465d7dd20a726f3ccebf811b059355dd4
SHA256:95d7e599e9a76497dd73084440554dfcf4a94974d49e88c43f23611d4bce5d12
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "bWUSNsqFz", "URL: ": "http://hWJRHFah1ZO6.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "WYVxdnuS0dPp19", "From: ": "fikriye@turuncoglu.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.913283629.0000000003AD3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.8a30000.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3b21d90.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.288692c.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.6968.0.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "bWUSNsqFz", "URL: ": "http://hWJRHFah1ZO6.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "WYVxdnuS0dPp19", "From: ": "fikriye@turuncoglu.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://hWJRHFah1ZO6.com
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 77.88.21.158:587
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 77.88.21.158:587
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://NfuOAc.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.646241525.0000000005905000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912510671.0000000002B38000.00000004.00000001.sdmp, PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.871545714.00000000009D4000.00000004.00000001.sdmpString found in binary or memory: http://hWJRHFah1ZO6.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.cert
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912580609.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.651039087.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaa;
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.915436584.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.646314068.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.como
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648686218.0000000005906000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648686218.0000000005906000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.648047854.000000000590E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd6
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmp, PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000003.645752461.0000000005903000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.917008175.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924040060.00000000087BF000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, LogIn.csLong String: Length: 13656
                      Source: 0.0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csLong String: Length: 13656
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A00400_2_009A0040
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A22900_2_009A2290
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A92B40_2_009A92B4
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009ADFE80_2_009ADFE8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A6AC00_2_009A6AC0
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A6B200_2_009A6B20
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D823580_2_00D82358
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D808190_2_00D80819
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D990700_2_00D99070
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D945480_2_00D94548
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D92BF80_2_00D92BF8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D94B9A0_2_00D94B9A
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D9D4D00_2_00D9D4D0
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D998B80_2_00D998B8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D9FC400_2_00D9FC40
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D911080_2_00D91108
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_00D997B80_2_00D997B8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1D0580_2_08A1D058
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1A3500_2_08A1A350
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1A6980_2_08A1A698
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1AF680_2_08A1AF68
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A115F00_2_08A115F0
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeBinary or memory string: OriginalFilename vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.910655174.0000000000940000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924318190.0000000008990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000000.642824419.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCausalitySynchronousWork.exe6 vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.910711573.0000000000980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924538970.0000000008A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJjuAGuEggFLyNdgxhZLJIKFOcxph.exe4 vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeBinary or memory string: OriginalFilenameCausalitySynchronousWork.exe6 vs PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\FgrzrOVaPeBghSSqdSW
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.3e0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009ABCDA push 8BFFFFFFh; retf 0_2_009ABCE8
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_08A1B980 push esp; ret 0_2_08A1B981
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.51402994346
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe PID: 6968, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe.288692c.2.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWindow / User API: threadDelayed 440Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWindow / User API: threadDelayed 9418Jump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe TID: 6972Thread sleep time: -99909s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe TID: 1368Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.923952005.0000000008750000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912083568.0000000002851000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.924605618.0000000008A70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeCode function: 0_2_009A5428 LdrInitializeThunk,0_2_009A5428
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe, 00000000.00000002.912004875.0000000001340000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeQueries volume information: C:\Windows\Fonts\tai