Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase order(600010310,10303).exe

Overview

General Information

Sample name:Purchase order(600010310,10303).exe
Analysis ID:1471984
MD5:897eed97e49be61757f1a9a4297f669a
SHA1:e7c07af23f6048b8661b3896ab1451ead71552cf
SHA256:9d3a9d1466d81346ab6324ccd10a855137c6b93ac6fdd6cba5e67621b047fb63
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Purchase order(600010310,10303).exe (PID: 1072 cmdline: "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" MD5: 897EED97E49BE61757F1A9A4297F669A)
    • powershell.exe (PID: 4036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6708 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AmEFEED.exe (PID: 6856 cmdline: C:\Users\user\AppData\Roaming\AmEFEED.exe MD5: 897EED97E49BE61757F1A9A4297F669A)
    • schtasks.exe (PID: 7152 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AmEFEED.exe (PID: 3604 cmdline: "C:\Users\user\AppData\Roaming\AmEFEED.exe" MD5: 897EED97E49BE61757F1A9A4297F669A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["204.10.160.198:1950"], "Bot Id": "1000", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 10 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Purchase order(600010310,10303).exe.42e4b90.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.Purchase order(600010310,10303).exe.4299970.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.Purchase order(600010310,10303).exe.4299970.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.Purchase order(600010310,10303).exe.42e4b90.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        10.2.Purchase order(600010310,10303).exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ParentImage: C:\Users\user\Desktop\Purchase order(600010310,10303).exe, ParentProcessId: 1072, ParentProcessName: Purchase order(600010310,10303).exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ProcessId: 4036, ProcessName: powershell.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ParentImage: C:\Users\user\Desktop\Purchase order(600010310,10303).exe, ParentProcessId: 1072, ParentProcessName: Purchase order(600010310,10303).exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ProcessId: 4036, ProcessName: powershell.exe
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AmEFEED.exe, ParentImage: C:\Users\user\AppData\Roaming\AmEFEED.exe, ParentProcessId: 6856, ParentProcessName: AmEFEED.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp", ProcessId: 7152, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ParentImage: C:\Users\user\Desktop\Purchase order(600010310,10303).exe, ParentProcessId: 1072, ParentProcessName: Purchase order(600010310,10303).exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp", ProcessId: 6500, ProcessName: schtasks.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ParentImage: C:\Users\user\Desktop\Purchase order(600010310,10303).exe, ParentProcessId: 1072, ParentProcessName: Purchase order(600010310,10303).exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ProcessId: 4036, ProcessName: powershell.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Scheduled temp file as task from temp location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order(600010310,10303).exe", ParentImage: C:\Users\user\Desktop\Purchase order(600010310,10303).exe, ParentProcessId: 1072, ParentProcessName: Purchase order(600010310,10303).exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp", ProcessId: 6500, ProcessName: schtasks.exe

                          Snort Signatures

                          Timestamp:07/12/24-06:01:58.753299
                          SID:2043234
                          Source Port:1950
                          Destination Port:49702
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:02:02.057275
                          SID:2043234
                          Source Port:1950
                          Destination Port:49704
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:02:03.708514
                          SID:2046056
                          Source Port:1950
                          Destination Port:49702
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:02:07.363619
                          SID:2046056
                          Source Port:1950
                          Destination Port:49704
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:01:58.315359
                          SID:2046045
                          Source Port:49702
                          Destination Port:1950
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:02:13.422387
                          SID:2043231
                          Source Port:49702
                          Destination Port:1950
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:02:00.985911
                          SID:2046045
                          Source Port:49704
                          Destination Port:1950
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-06:02:18.035215
                          SID:2043231
                          Source Port:49704
                          Destination Port:1950
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: Purchase order(600010310,10303).exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeAvira: detection malicious, Label: HEUR/AGEN.1309691
                          Found malware configuration
                          Source: 10.2.Purchase order(600010310,10303).exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["204.10.160.198:1950"], "Bot Id": "1000", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeReversingLabs: Detection: 21%
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeVirustotal: Detection: 35%Perma Link
                          Multi AV Scanner detection for submitted file
                          Source: Purchase order(600010310,10303).exeReversingLabs: Detection: 21%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: Purchase order(600010310,10303).exeJoe Sandbox ML: detected
                          Source: Purchase order(600010310,10303).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Purchase order(600010310,10303).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 4x nop then jmp 06B002F1h10_2_06B00040
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 4x nop then jmp 06B0132Ah10_2_06B00F08
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 4x nop then jmp 06B017AAh10_2_06B00F08
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 4x nop then jmp 06B00D3Dh10_2_06B00970
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 4x nop then jmp 06B00D3Dh10_2_06B0096B
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB698Dh15_2_07AB66C8
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB9A50h15_2_07AB9558
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB02F4h15_2_07AB0040
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB50DAh15_2_07AB4CB8
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB555Ah15_2_07AB4CB8
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB718Fh15_2_07AB6A30
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 4x nop then jmp 07AB400Ah15_2_07AB3FF2

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.7:49702 -> 204.10.160.198:1950
                          Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.7:49702 -> 204.10.160.198:1950
                          Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 204.10.160.198:1950 -> 192.168.2.7:49702
                          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.7:49704 -> 204.10.160.198:1950
                          Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.7:49704 -> 204.10.160.198:1950
                          Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 204.10.160.198:1950 -> 192.168.2.7:49704
                          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 204.10.160.198:1950 -> 192.168.2.7:49702
                          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 204.10.160.198:1950 -> 192.168.2.7:49704
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 204.10.160.198:1950
                          Source: global trafficTCP traffic: 192.168.2.7:49702 -> 204.10.160.198:1950
                          Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: AmEFEED.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1217601631.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000B.00000002.1252261896.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000032C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002BAA000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002CB0000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000032C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000032C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                          System Summary

                          barindex
                          .NET source code contains very large array initializations
                          Source: Purchase order(600010310,10303).exe, frmHome.csLarge array initialization: : array initializer size 632157
                          Initial sample is a PE file and has a suspicious name
                          Source: initial sampleStatic PE information: Filename: Purchase order(600010310,10303).exe
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_0183D7440_2_0183D744
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_031005180_2_03100518
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_031005080_2_03100508
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_052E38800_2_052E3880
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_0583054C0_2_0583054C
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_05832A600_2_05832A60
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_0267DC7410_2_0267DC74
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_04EDEE5810_2_04EDEE58
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_04ED885010_2_04ED8850
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_04ED004010_2_04ED0040
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_04ED001F10_2_04ED001F
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_04ED884010_2_04ED8840
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B0AF4810_2_06B0AF48
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B0004010_2_06B00040
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B00EF810_2_06B00EF8
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B00F0810_2_06B00F08
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B079E010_2_06B079E0
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B079D010_2_06B079D0
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B0097010_2_06B00970
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_06B0096B10_2_06B0096B
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_015DD74411_2_015DD744
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_05212C8011_2_05212C80
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_057C051811_2_057C0518
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_057C050811_2_057C0508
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_0773C62011_2_0773C620
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_0773E2E011_2_0773E2E0
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_0773C1E811_2_0773C1E8
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_07733F4011_2_07733F40
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_07733F3011_2_07733F30
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_07737D5011_2_07737D50
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_0773BDB011_2_0773BDB0
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_0773B97811_2_0773B978
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_0168DC7415_2_0168DC74
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB370815_2_07AB3708
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB058015_2_07AB0580
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB45D815_2_07AB45D8
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB955815_2_07AB9558
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07ABB48F15_2_07ABB48F
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB14C015_2_07AB14C0
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB734815_2_07AB7348
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07ABC23815_2_07ABC238
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB004015_2_07AB0040
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB2FA015_2_07AB2FA0
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB7D8815_2_07AB7D88
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB4CB815_2_07AB4CB8
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB6A3015_2_07AB6A30
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB296015_2_07AB2960
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB589015_2_07AB5890
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB460A15_2_07AB460A
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB057015_2_07AB0570
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB4CAE15_2_07AB4CAE
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB295115_2_07AB2951
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1224325484.0000000005A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004372000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1228258309.0000000007640000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1217601631.0000000003291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000000.1198277848.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1002.exe8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1215928472.000000000147E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1390289229.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exeBinary or memory string: OriginalFilename421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1002.exe8 vs Purchase order(600010310,10303).exe
                          Source: Purchase order(600010310,10303).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Purchase order(600010310,10303).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: AmEFEED.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, pT1DulOxAZOYvY6Iyi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@0/1
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile created: C:\Users\user\AppData\Roaming\AmEFEED.exeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile created: C:\Users\user\AppData\Local\Temp\tmp2BEC.tmpJump to behavior
                          Source: Purchase order(600010310,10303).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: Purchase order(600010310,10303).exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.000000000372F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000037BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: Purchase order(600010310,10303).exeReversingLabs: Detection: 21%
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile read: C:\Users\user\Desktop\Purchase order(600010310,10303).exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\AmEFEED.exe C:\Users\user\AppData\Roaming\AmEFEED.exe
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess created: C:\Users\user\AppData\Roaming\AmEFEED.exe "C:\Users\user\AppData\Roaming\AmEFEED.exe"
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess created: C:\Users\user\AppData\Roaming\AmEFEED.exe "C:\Users\user\AppData\Roaming\AmEFEED.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: dwrite.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: msvcp140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: secur32.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: amsi.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: windowscodecs.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: Purchase order(600010310,10303).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: Purchase order(600010310,10303).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: Purchase order(600010310,10303).exe, frmMemberLogin.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.cs.Net Code: vsdf08RIiw System.Reflection.Assembly.Load(byte[])
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_0310A408 pushfd ; iretd 0_2_0310A40D
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_052E1B4C push eax; retf 0_2_052E1B4D
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_0583E410 push eax; mov dword ptr [esp], edx0_2_0583E424
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 0_2_058302F7 push esp; ret 0_2_05830301
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeCode function: 10_2_04EDD442 push eax; ret 10_2_04EDD451
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_057CA408 pushfd ; iretd 11_2_057CA40D
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_07737405 push 5D906BFDh; ret 11_2_0773741B
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_07730014 push eax; retf 11_2_07730015
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 11_2_077310F8 push edi; retf 11_2_07731116
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB0E78 push es; iretd 15_2_07AB0E84
                          Source: Purchase order(600010310,10303).exeStatic PE information: section name: .text entropy: 7.63325835072001
                          Source: AmEFEED.exe.0.drStatic PE information: section name: .text entropy: 7.63325835072001
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, isP52MdDaMEy9iv4hA.csHigh entropy of concatenated method names: 'RUISHt8Nkv', 'BLYSo09Tr8', 'ArrSMp25pK', 'sLDStk1BUv', 'dSqS1wKNDy', 'GFhSGjybsZ', 'LRaSpVMQfr', 'eYkS9BXsb4', 'GwiSeYKUlw', 'c24ShdQJCy'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, FIKbgEeGLlNSjWbMsr.csHigh entropy of concatenated method names: 'O1HDk80jfR', 'YhqDrQ0KZg', 'G9JDHtlcjl', 'uXXDoZswP6', 'y5EDc6yrwY', 'vN5DLN6nGI', 'wxXDaNfTyh', 'ShoDvCZtrG', 'ouEDxdqa5B', 'g2ZDYHY7sc'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, TUZyLY39kqqbo7ymMX.csHigh entropy of concatenated method names: 'MQHaquR4od', 'lPOajXdkgQ', 'ToString', 'yhlaOHEsbY', 'FlqabCWZAW', 'WSpaDMFhkS', 'JjUa4of6fl', 'Pi1aKPnJSh', 'UrYaXCO2Px', 'u9waPSWkii'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, d9cBSbjGYsqg6UBKoj.csHigh entropy of concatenated method names: 'UyGKA5A58M', 'e94KbuMPQO', 'aT2K44wc2T', 'nbwKXDt4iv', 'DxnKPJJMDC', 'P214yPma5S', 'Woy437vI39', 'fcI4FjXMAu', 'UkO4284osX', 'lC94sUTCjV'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.csHigh entropy of concatenated method names: 'L6RWAuoBZJ', 'QHZWOi55eX', 'lixWbWGZIj', 'f00WD2nh2e', 'tvMW44Nxfu', 'YjBWK3b6R2', 'B7fWXivpt5', 'b52WPG8SAI', 'E3HWm8BI6H', 'HbCWqu2T8U'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, mGEDskpTM3VZ3I6Dnv.csHigh entropy of concatenated method names: 'FQ9cemDEEB', 'R4Lc7xXeex', 'Ckxc5TC0Y2', 'rb1cTZ2dYD', 'Trgct1lfbp', 'fEWclTkHCq', 'zd4c1nxX1k', 'AqbcGcukNV', 'dL6cRRmeGA', 'xivcp98i1V'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, yrQuwkX28MEWnClaqA.csHigh entropy of concatenated method names: 'uPYxiaAgcZ', 'BMKxWkC4Q9', 'NmqxfXBKkJ', 'PBRxOj1Pkx', 'VjOxbriGL6', 'kgDx4FnTqg', 'j3gxKBobeZ', 'sT0vFLEgxS', 'FpSv2QMGwY', 'DY6vsTSIng'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, qmSSbSceWyWraCE9Il.csHigh entropy of concatenated method names: 'paBXC46nXv', 'DvfXUJQTIn', 'YtbX0Bojp9', 'UfhXkOyblf', 'znsXNaiFNM', 'p5xXryhkZd', 'OSlX6oNxl4', 'fPfXHsFDmN', 'yBsXo5jfx2', 'kJ6XBBLVhX'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A2FdtoVw4vWkAwhvme.csHigh entropy of concatenated method names: 'n950MLFiC4UAMVjsmgw', 'fUk1f1F3lmWAbZioEpQ', 'y3CKvBPhKr', 'TNWKxB4sVj', 'Rl4KY7AW3p', 'GDdjtMF6agUbTLFZyEy', 'pFrJTXFYOItGIhs7xqs'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, BAm6v79nxUE2ZvZmVg.csHigh entropy of concatenated method names: 'Dispose', 'srJisuYHNU', 'IksutwWLo7', 'oJuwwpe0mO', 'O52infigPw', 'LCbizPYfhu', 'ProcessDialogKey', 'aWMudV29rc', 'BQUuiBr6k5', 'FEKuutUV6s'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, TkTbvJwcS9dchRAgmr.csHigh entropy of concatenated method names: 'IZTa2jXVjy', 'gmTanNewCU', 'gkWvdhFIKy', 'nF5viri6yg', 'U56ahp75sT', 'RJJa7pKsHT', 'iWhaE44g9U', 'v9ea5qiM5U', 'KGqaT5r5l9', 'ylgaZyR8JY'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, IiTu2yg8PgtOhrQmM7.csHigh entropy of concatenated method names: 'bGnvMcTcNp', 'QOQvtjRYGr', 'oSQvlQdmZh', 'yK9v1JBkWS', 'zDYv5S8vl4', 'Vj6vGAXGXM', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, ru2oAmzQHFgxYJ5xgF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DLcxSr99IW', 'vlxxc4CHvl', 'osYxLYcAkj', 'RcmxaW0ldu', 'KW7xvtPj4f', 'qiAxx4BbvL', 'uypxYEZUmT'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, J4eFVe8XeevqFh3Fso.csHigh entropy of concatenated method names: 'L34iXy8hnr', 'PqwiP3oqIq', 'gPJiqBGpd8', 'v66ijt0X38', 'AxLic0iMcH', 'JiNiLAqpns', 'cwTsEaGOfisDaVysmm', 'YKPpkR5m8gLYOHEG2g', 'hT3iisH3rq', 'OQXiWpv8fv'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, NuGuLguviiltQanZDm.csHigh entropy of concatenated method names: 'SP0vOB5hsb', 'DD1vbXWwg5', 'ujJvDgGH5f', 'JWpv4yMgUO', 'lpNvKY1w3h', 'nXQvXClbaO', 'k0QvP3pcvN', 'dBYvmK9l76', 'zaqvqHgCgb', 'vQVvj3fNjW'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, riZVJXa7wnT1c9fehv4.csHigh entropy of concatenated method names: 'LL5xCoA4oJ', 'DhqxUSG82T', 'o1Lx0j6VMO', 'KAxxkjOwSQ', 'k0axNZCcbi', 'SW8xrC7Rj3', 'qXkx6IG6Zo', 'NHrxHL4ws4', 'oadxoZkiBZ', 'QeQxBQVwMX'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, uT4hvDaSdvKrhPGgP72.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lTuY5raq2V', 'iB8YTPC05w', 'MHIYZLogt5', 'FqGY8UndWY', 'IxsYygm9mZ', 'W5yY3YnSqX', 'ATRYFHNC4r'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, pT1DulOxAZOYvY6Iyi.csHigh entropy of concatenated method names: 'KyHb5o9ku3', 'sB2bTk6d0J', 'iAPbZsmlpr', 'OSub8R0tOk', 'UgabyP4jsW', 'yRIb3wMrAl', 'Aw6bFyPJGp', 'sQKb2ABexP', 'Ah8bsblStq', 'sYrbnOZYk0'
                          Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, S2WWDQlbOZhr5MVkMT.csHigh entropy of concatenated method names: 'NLo0nEGqx', 'imnkoFmsD', 'lRHr0egFv', 'hVD6A5dE9', 'xeVoL5E90', 'XSVBpFHGw', 'FrkYZTLBRqNS5NQlO9', 'V54YW5lB0qgYeqwUWL', 'TeJvWjWoU', 'nmAYjDBi3'
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile created: C:\Users\user\AppData\Roaming\AmEFEED.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp"

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Icon mismatch, binary includes an icon from a different legit application in order to fool users
                          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (15).png
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: Purchase order(600010310,10303).exe PID: 1072, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: AmEFEED.exe PID: 6856, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 3290000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 5290000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 7D10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 7D10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: 4810000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 51C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 7850000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 8850000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 8AE0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 9AE0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 1680000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 31E0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory allocated: 1830000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6514Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 866Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9072Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 444Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWindow / User API: threadDelayed 7619Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWindow / User API: threadDelayed 2091Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWindow / User API: threadDelayed 1454
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWindow / User API: threadDelayed 6406
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe TID: 5412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe TID: 7448Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exe TID: 6500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exe TID: 7620Thread sleep time: -28592453314249787s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exe TID: 6608Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeThread delayed: delay time: 922337203685477
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231LR
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                          Source: AmEFEED.exe, 0000000B.00000002.1251429710.0000000001671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                          Source: AmEFEED.exe, 0000000F.00000002.1435468788.0000000001508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.000000000444A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1391296367.0000000000B1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                          Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                          Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeCode function: 15_2_07AB7D88 LdrInitializeThunk,15_2_07AB7D88
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"Jump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeMemory written: C:\Users\user\AppData\Roaming\AmEFEED.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeProcess created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeProcess created: C:\Users\user\AppData\Roaming\AmEFEED.exe "C:\Users\user\AppData\Roaming\AmEFEED.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Users\user\Desktop\Purchase order(600010310,10303).exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Users\user\Desktop\Purchase order(600010310,10303).exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Users\user\AppData\Roaming\AmEFEED.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Users\user\AppData\Roaming\AmEFEED.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.4299970.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.4299970.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.Purchase order(600010310,10303).exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Purchase order(600010310,10303).exe PID: 1072, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Purchase order(600010310,10303).exe PID: 2516, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: AmEFEED.exe PID: 3604, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                          Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                          Source: C:\Users\user\AppData\Roaming\AmEFEED.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                          Source: Yara matchFile source: 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Purchase order(600010310,10303).exe PID: 2516, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: AmEFEED.exe PID: 3604, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.4299970.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.4299970.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.Purchase order(600010310,10303).exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Purchase order(600010310,10303).exe PID: 1072, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Purchase order(600010310,10303).exe PID: 2516, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: AmEFEED.exe PID: 3604, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          Scheduled Task/Job                          		111
                          Process Injection                          		11
                          Masquerading                          		1
                          OS Credential Dumping                          		321
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Scheduled Task/Job                          		1
                          DLL Side-Loading                          		1
                          Scheduled Task/Job                          		11
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		241
                          Virtualization/Sandbox Evasion                          		Security Account Manager241
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information                          		LSA Secrets1
                          File and Directory Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing                          		Cached Domain Credentials113
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          DLL Side-Loading                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1471984 Sample: Purchase order(600010310,10... Startdate: 12/07/2024 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 16 other signatures 2->53 7 Purchase order(600010310,10303).exe 7 2->7         started        11 AmEFEED.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\AmEFEED.exe, PE32 7->37 dropped 39 C:\Users\user\...\AmEFEED.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp2BEC.tmp, XML 7->41 dropped 43 Purchase order(600010310,10303).exe.log, ASCII 7->43 dropped 55 Adds a directory exclusion to Windows Defender 7->55 13 Purchase order(600010310,10303).exe 5 3 7->13         started        17 powershell.exe 23 7->17         started        19 powershell.exe 23 7->19         started        25 2 other processes 7->25 57 Antivirus detection for dropped file 11->57 59 Multi AV Scanner detection for dropped file 11->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->61 63 3 other signatures 11->63 21 AmEFEED.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 45 204.10.160.198, 1950, 49702, 49704 UNREAL-SERVERSUS Canada 13->45 65 Found many strings related to Crypto-Wallets (likely being stolen) 13->65 67 Tries to steal Crypto Currency Wallets 13->67 69 Loading BitLocker PowerShell Module 17->69 27 conhost.exe 17->27         started        29 WmiPrvSE.exe 17->29         started        31 conhost.exe 19->31         started        71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        signatures8 process9

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.