Loading ...

Play interactive tourEdit tour

Analysis Report PO-ORDER-PURCHASE.exe

Overview

General Information

Sample Name:PO-ORDER-PURCHASE.exe
Analysis ID:299746
MD5:6e414a88ff5cc027cf2f92bf792a0477
SHA1:fe913bee96cf2b7b84ab4d89042b0c0de3874116
SHA256:0eb0f9b84a81bca9c130063eaf0e62836511b67b793d3fd35321062d209759fa
Tags:exeMassLogger

Most interesting Screenshot:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO-ORDER-PURCHASE.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\PO-ORDER-PURCHASE.exe' MD5: 6E414A88FF5CC027CF2F92BF792A0477)
    • powershell.exe (PID: 6648 cmdline: 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe'' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • vidoediswire.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe' MD5: 6E414A88FF5CC027CF2F92BF792A0477)
  • vidoediswire.exe (PID: 4568 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe' MD5: 6E414A88FF5CC027CF2F92BF792A0477)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.516161347.0000000005AA0000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x1628:$op3: 00 04 03 69 91 1B 40
  • 0x1f17:$op3: 00 04 03 69 91 1B 40
00000011.00000002.516161347.0000000005AA0000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000013.00000002.513399666.0000000003856000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x59c2d:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x59b8d:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x5a820:$op3: 00 04 03 69 91 1B 40
    • 0x5b10f:$op3: 00 04 03 69 91 1B 40
    00000001.00000003.303070365.0000000003FE3000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      00000013.00000002.515047214.0000000005170000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x1628:$op3: 00 04 03 69 91 1B 40
      • 0x1f17:$op3: 00 04 03 69 91 1B 40
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO-ORDER-PURCHASE.exe.5660000.2.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x1628:$op3: 00 04 03 69 91 1B 40
      • 0x1f17:$op3: 00 04 03 69 91 1B 40
      1.2.PO-ORDER-PURCHASE.exe.5660000.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        19.2.vidoediswire.exe.5170000.2.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
        • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
        • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
        • 0x1628:$op3: 00 04 03 69 91 1B 40
        • 0x1f17:$op3: 00 04 03 69 91 1B 40
        19.2.vidoediswire.exe.5170000.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          1.2.PO-ORDER-PURCHASE.exe.5660000.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeVirustotal: Detection: 26%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeReversingLabs: Detection: 37%
            Multi AV Scanner detection for submitted fileShow sources
            Source: PO-ORDER-PURCHASE.exeVirustotal: Detection: 26%Perma Link
            Source: PO-ORDER-PURCHASE.exeReversingLabs: Detection: 37%

            Networking:

            barindex
            May check the online IP address of the machineShow sources
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 54.235.182.194 54.235.182.194
            Source: Joe Sandbox ViewIP Address: 54.235.182.194 54.235.182.194
            Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
            Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509593236.0000000002D71000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.508901973.00000000030E1000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.509380625.0000000002661000.00000004.00000001.sdmpString found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.510821011.0000000002E88000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.509929293.00000000031A5000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.510216903.0000000002773000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.510821011.0000000002E88000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.509929293.00000000031A5000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.510115710.0000000002763000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.510821011.0000000002E88000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.509929293.00000000031A5000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/P
            Source: vidoediswire.exe, 00000013.00000002.510115710.0000000002763000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/Pz
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.510524339.0000000002E36000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.509929293.00000000031A5000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.510115710.0000000002763000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/p
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509593236.0000000002D71000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.508901973.00000000030E1000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.509380625.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.orgD
            Source: vidoediswire.exe, 00000011.00000002.509929293.00000000031A5000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.510115710.0000000002763000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.510821011.0000000002E88000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8:/
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.510853676.0000000002E8D000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.510293414.00000000031F5000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.510216903.0000000002773000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509593236.0000000002D71000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.509929293.00000000031A5000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.510115710.0000000002763000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509593236.0000000002D71000.00000004.00000001.sdmp, vidoediswire.exe, 00000011.00000002.508901973.00000000030E1000.00000004.00000001.sdmp, vidoediswire.exe, 00000013.00000002.509380625.0000000002661000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg
            Source: vidoediswire.exe, 00000011.00000002.505913784.000000000132B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000011.00000002.516161347.0000000005AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000013.00000002.513399666.0000000003856000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000013.00000002.515047214.0000000005170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000001.00000002.513806115.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000001.00000002.516274400.0000000005660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000011.00000002.513691523.00000000042D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 1.2.PO-ORDER-PURCHASE.exe.5660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 19.2.vidoediswire.exe.5170000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 17.2.vidoediswire.exe.5aa0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            .NET source code contains very large stringsShow sources
            Source: PO-ORDER-PURCHASE.exe, qlgK8DFtjjmN5kby5p/EgBJEwG1huWo07EUv5.csLong String: Length: 861184
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: PO-ORDER-PURCHASE.exe
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_012965101_2_01296510
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_012962491_2_01296249
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_012962581_2_01296258
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_012915681_2_01291568
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_012915401_2_01291540
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_012965801_2_01296580
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_070C7D091_2_070C7D09
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_014F618017_2_014F6180
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_014F154017_2_014F1540
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_014F156817_2_014F1568
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_014F5E4917_2_014F5E49
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_014F5E5817_2_014F5E58
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_06A9E72417_2_06A9E724
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_06A9000617_2_06A90006
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_06A9004017_2_06A90040
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_070853F717_2_070853F7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_024B611019_2_024B6110
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_024B618019_2_024B6180
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_024B5E4919_2_024B5E49
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_024B5E5819_2_024B5E58
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_024B154019_2_024B1540
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_024B156819_2_024B1568
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_061A001D19_2_061A001D
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_061A004019_2_061A0040
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_067A4B9719_2_067A4B97
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_067A4CF019_2_067A4CF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_067A599C19_2_067A599C
            Source: PO-ORDER-PURCHASE.exeStatic PE information: invalid certificate
            Source: PO-ORDER-PURCHASE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: vidoediswire.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000003.303070365.0000000003FE3000.00000004.00000001.sdmpBinary or memory string: OriginalFilename" vs PO-ORDER-PURCHASE.exe
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.516873002.0000000005904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO-ORDER-PURCHASE.exe
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.504783514.0000000000A0A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_MassLoggerBin.exeT vs PO-ORDER-PURCHASE.exe
            Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.520290871.00000000070A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO-ORDER-PURCHASE.exe
            Source: PO-ORDER-PURCHASE.exeBinary or memory string: OriginalFilenameLime_MassLoggerBin.exeT vs PO-ORDER-PURCHASE.exe
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeSection loaded: amsidll.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeSection loaded: amsidll.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeSection loaded: amsidll.dll
            Source: 00000011.00000002.516161347.0000000005AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000013.00000002.513399666.0000000003856000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000013.00000002.515047214.0000000005170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.513806115.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.516274400.0000000005660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000011.00000002.513691523.00000000042D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.PO-ORDER-PURCHASE.exe.5660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 19.2.vidoediswire.exe.5170000.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 17.2.vidoediswire.exe.5aa0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@6/3
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswireJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeMutant created: \Sessions\1\BaseNamedObjects\ibgomwik
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_01
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1avu0qo.rtm.ps1Jump to behavior
            Source: PO-ORDER-PURCHASE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: PO-ORDER-PURCHASE.exeVirustotal: Detection: 26%
            Source: PO-ORDER-PURCHASE.exeReversingLabs: Detection: 37%
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exe 'C:\Users\user\Desktop\PO-ORDER-PURCHASE.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe''
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe'
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe''Jump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: PO-ORDER-PURCHASE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO-ORDER-PURCHASE.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: PO-ORDER-PURCHASE.exeStatic file information: File size 2298256 > 1048576
            Source: PO-ORDER-PURCHASE.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1fe400
            Source: PO-ORDER-PURCHASE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            Yara detected Costura Assembly LoaderShow sources
            Source: Yara matchFile source: Process Memory Space: PO-ORDER-PURCHASE.exe PID: 4604, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vidoediswire.exe PID: 6904, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vidoediswire.exe PID: 4568, type: MEMORY
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_05C55E0B push 8BFFFFF5h; retf 1_2_05C55E16
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_070C7E3C push esp; ret 1_2_070C7E3D
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_070C7C8A push esp; ret 1_2_070C7C8B
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_070C9BDE push esp; ret 1_2_070C9BEC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_05E965C4 push esp; iretd 17_2_05E965C5
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_05E95E0B push 8BFFFFF5h; retf 17_2_05E95E16
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_07085372 push esp; ret 17_2_07085373
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 17_2_070872C6 push esp; ret 17_2_070872D4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_05585E0B push 8BFFFFF5h; retf 19_2_05585E16
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_061A7070 pushad ; iretd 19_2_061A7079
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_061AADF7 push FFFFFFE8h; retf 19_2_061AADF9
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_067A4CC4 push esp; ret 19_2_067A4CC5
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeCode function: 19_2_067A4B12 push esp; ret 19_2_067A4B13
            Source: PO-ORDER-PURCHASE.exe, ADa1fY8nbOVx0TwFcVO/mddMFY85hc331ofGnZ7.csHigh entropy of concatenated method names: 'YRfQF48rnc', 'UCIQ3eEOmS', 'qm5QaUC75h', 'bTTQr9Z0E3', 'KyCQfBqCIt', 'C1lQDQfGun', 'Rp0Q4qErjp', 'SqcQJvit8J', 'PJsQl9OXmS', 'ml0QT71xt3'
            Source: PO-ORDER-PURCHASE.exe, R5yUaW8XyJfYARNZ8YB/dats7m8qkttyiEDKY4t.csHigh entropy of concatenated method names: 'lF5ShVlqUW', 'kYMSv0T3ur', 'MSGStWhpGI', 'sKLS7Ii150', 'iV9SE3m9MY', 'OQ4Sw00Fp3', 'egmSOZ1loM', 'vfJSsiBasv', 'QlrSc5SUEH', 'zd7S67VDgC'
            Source: PO-ORDER-PURCHASE.exe, kGl6bW8bmq79KkeFhZZ/cjYhED8AmZvV0Ve3xSo.csHigh entropy of concatenated method names: 'T0SSaLktgJ', 'BVwSrjeEp0', 'wwkSfqa3Zq', 'U5lSD6Rdtx', 'F1hS4caodC', 'kY7SJ1qnbx', 'raDSlALWSh', 'HytSTvRhKk', 'CxSSZEBEeE', 'xHrSkcy5bp'
            Source: PO-ORDER-PURCHASE.exe, YvMaKCjVLXGgegMtLln/N6hnEEjRrUAEeDh9GQa.csHigh entropy of concatenated method names: 'QrN5bo1XOb', 'oWO5qBMvOc', 'l1o5XTprKu', 'Qmq55EuZUs', 'R7o5nOeldn', 'p4J5ua0Nvb', 'gdB5P3fFrp', 'jIe5N8YLgg', 'IoN5H7jrms', 'epS5SLcY56'
            Source: PO-ORDER-PURCHASE.exe, Aeu40Hj1hDysWBZdUjT/epeLVBjgViJhcbwBkJP.csHigh entropy of concatenated method names: 'JBmXLJQ87w', 'fXCXe10dSl', 'AwQXY575eZ', 'yhyXgSBvK6', 'KYnX1tVoVu', 'Q6IXRQQZ9Q', 'yMtXV3nTIM', 'VgSXoT8jy3', 'rFyXmHrYX6', 'i0LXCxZVfM'
            Source: PO-ORDER-PURCHASE.exe, eQIputjYnWQCe596Taj/KNvNNGjeJuOqVSfA6Ht.csHigh entropy of concatenated method names: 'N7DXXV1PSF', 'aanX5d8BTD', 'PpkXnEJgm8', 'rkaXuaRY6Y', 'ugUXPW4C7a', 'O7qXNc9s2B', 'oO8XH08KCY', 'hxMXS4BbXb', 'yNEXQFgbw2', 'DKPXdXH2xx'
            Source: PO-ORDER-PURCHASE.exe, rMrPwSFVSq4hHjxBVoO/R2jWBuFRXbdGMoJS5Xm.csHigh entropy of concatenated method names: 'wbpUk7ZGOg', 'P0YUiuDfGO', 'IxSUbXxuv4', 'E0LUqEjdQ2', 'zUHU5tGSqN', 'haFUnDwXiy', 'Yx3UPPgDyU', 'bvpUNq7V5a', '.ctor', 'bl4UZPNUeH'
            Source: PO-ORDER-PURCHASE.exe, Qu3LHfF1LL5CkEbI2J4/h92jhmFgCueAHUq20EV.csHigh entropy of concatenated method names: 'aAxxMydjTL', 'mRYxznZvf2', 'e81UjKoNJj', 'o3iU8SsFKd', 'wtrUFQVL22', 'ovOU3wBU0l', 'N5HUrxKN8V', 'XVQUfFlseO', '.ctor', 'RhAxCPemyq'
            Source: PO-ORDER-PURCHASE.exe, Vxwh8qFYixwfPpgAh2k/VnBX00FeB7ULFyFt9yx.csHigh entropy of concatenated method names: 's19xsIqpfp', 'gkwxciXkaF', 'bEkxycmgKr', 'F03xBXvMtw', 'KOexK6XMp2', 'ylKxLBgXZf', 'j6uxY00t0u', 'PFZxgL7fX2', '.ctor', 'm3JxOt3sj6'
            Source: PO-ORDER-PURCHASE.exe, pnPnv6FLVIau8A3EkYA/R2NUiYFKKqxKJL0f2rp.csHigh entropy of concatenated method names: 'iYKxHTGF8N', 'ww6xSO7s7B', 'rOYxd2rZSG', 'a0bx9QAg92', 'w0lxUuiH3W', 'yDyxIOp430', 'KBbxWp2jyS', 'Hu7xhN5Icx', '.ctor', 'PiUxNjaDov'
            Source: PO-ORDER-PURCHASE.exe, wsWYaUF4qA6QZp6bmUr/K20dcHFDfecG54mDoeQ.csHigh entropy of concatenated method names: 'fZZ9rMug6D', '.ctor', 'a4mYp9lY8tgsAn9Ccit', 'yXw08KljNMf6tYVB01c', 'tn8mrRlQVFgrIJEuJoT', 'P0fVZblLCMrXMYx6xni', 'WvY6LFlXPNSpwj3uOca', 'oKpk0SloxPWt0hZEK9P', 'HZuA5xlGn5qy6Yc22UL', 'AMIDvFldKABC5JTftQy'
            Source: PO-ORDER-PURCHASE.exe, YMPMby8fxjLnAgfHk0l/lhk8b38rq9coBSQuTLe.csHigh entropy of concatenated method names: 'YY4POKSWqb', 'O8PPsoGje4', 'bbwPc3LKyM', 'sYHP6LDPfZ', 'G9OPyVbodP', 'qf2PBDiboD', 'AxYP2rIHSN', 'erkPKlVBFO', 'FFVPLuKvCD', 't4WPejqSEO'
            Source: PO-ORDER-PURCHASE.exe, BRvDaF8aflvKBFS9ioP/QS5j1183Pl4DOfk1rKW.csHigh entropy of concatenated method names: 'SR4PlEcihQ', 'NG1PTtIgwS', 'vJZPZRL5Be', 'U4dPkVWPdd', 'BeSPitlONA', 'vykPAZ6DmW', 'm3APbsvHSC', 'XV2PqP8UR9', 'J6EPX64Q04', 'o9mP54FCsO'
            Source: PO-ORDER-PURCHASE.exe, ydsLK98FEChUmJAaZpe/yFIMIJ8Gden9mSVKbpE.csHigh entropy of concatenated method names: 'jm1uc1ZbSd', 'YwMu6XuDbE', 'QjEuylCpKD', 'ylRuBhrccS', 'rbfu2NEMU3', 'rjkuKtlLx3', 'BbWuLNShnH', 'GGeueXTrIB', 'L9cuYlpI2c', 'tgFugC3i0x'
            Source: PO-ORDER-PURCHASE.exe, spUBe9jfkDNewnU31gR/J6JCfrjrAuMWHokZST2.csHigh entropy of concatenated method names: 'kctTsB77Aj', 'eUoTc3xwyG', 'N1QTyGj3Kd', 'QpyTBp2cwF', 'rGVTKbOlV8', 'Gq4TLaAwgs', 'LPSTYJ2S12', 'oaATgsiuQk', 'HSVTRMbr4W', 'larTVWp9KP'
            Source: PO-ORDER-PURCHASE.exe, D3sw96ja3TEirtgpVkF/Q0NGonj3tlVhnUjQcya.csHigh entropy of concatenated method names: 'Gp4TroLFs4', 's91Tf8vO6U', 'UTaT4n6mVU', 'iQTTJmZdmD', 'DLeTTywP3e', 'TDsTZrHFyJ', 'Ba7TiVOaTq', 'e6NTAlhnip', 'fMaTqqbdne', 'kjHTX2hZeY'
            Source: PO-ORDER-PURCHASE.exe, cUTNpkjFeUSwGc5ULZn/wd9AiijGRL5bivTcL2q.csHigh entropy of concatenated method names: 'Gh0l56s2e9', 'lmjlnCKQff', 'JnslPC8CSL', 'AAxlNTsXkg', 'fDclSvCTUs', 'Kg2lQM0IyV', 'Mg3l9nl4MP', 'lI3lxgNKjX', 'bZKlIMJSUL', 'RqVl07INkI'
            Source: PO-ORDER-PURCHASE.exe, EhdMAKHxkFH2F2jpTw/aFvcVKNJedyNtuXuoB.csHigh entropy of concatenated method names: 'DqDFvR33Hn', 'u4LFtdr1IY', 'y5hFEPulEx', 'lK0Fw5scX2', 'agDFsTW5YH', 'Ep3Fcg3EOL', 'vrRFyKQwos', 'kbTFBGjqJJ', 'KCKFKSrC89', 'a3hFLJ8jYh'
            Source: PO-ORDER-PURCHASE.exe, wNXTZOPY7JXu8TiLSD/qqtCDEuswCeEgObu9e.csHigh entropy of concatenated method names: 'UdGGeJeKUi', 'WEmGYTNg27', 'JqVG1SfA6H', 'G3QGRIputn', 'fj3GopeLVB', 'ViJGmhcbwB', 'whDGMysWBZ', 'yUjGzTy6hn', 'E9GFjQaMvM', 'fKCF8LXGge'
            Source: PO-ORDER-PURCHASE.exe, b3WkFxnpqM4Apdqttl/fsEad35VwX3XiHMKUL.csHigh entropy of concatenated method names: 'PeCGkqMTri', 'wRwGidnFAI', 'UhvGb8QBcf', 'aSqGq36EjP', 'K39G5Zw8ya', 'zyFGnPfxlv', 'SuXGPfuvKS', 'us7GNhGjIP', 'mUkGSCKE12', 'Wi4GQCjiLW'
            Source: PO-ORDER-PURCHASE.exe, QdykTOXUKanI8rjFn1/v3wZX6qtgMGf6LUi5p.csHigh entropy of concatenated method names: 'xIh8gWovfC', 'VLe81E2vH2', 'xin8VC95eE', 'JVV8oWS3vb', 'CTu8CpwAUV', 'l5A8MNTcgW', 'PnXGp2S1EM', 'S5VGj2gYjt', 'VTWGGkvRWN', 'q8tGF10VdX'
            Source: PO-ORDER-PURCHASE.exe, sbrly3b7MHTRVGEXHx/gyF8E9AVYmUYkqOSOq.csHigh entropy of concatenated method names: 'NC08d5dan1', 'B4A89VlJvn', 'Ja28UKrCA1', 'lKv8ICNfdA', 'O0M8WUFwcx', 'NGy8hMYE8M', 'ctR8tOZglj', 'JQj871NY9x', 'WnF8wrhKtL', 'wqK8OCbIj1'
            Source: PO-ORDER-PURCHASE.exe, T3osHqZgCWhvvsYYwg/roDoa1T6V9ZaecJVxG.csHigh entropy of concatenated method names: 'k1QjqGZwwb', 'UNNjXa2vMf', 'IFkjnNF2uj', 'QuajutsYW2', 'vYXjN4Vu9g', 'ps3jHaVV1b', 'ml7jQPmaKN', 'IRyjdwauNS', 'dG5jxN9GRy', 'UDNjUDIBMc'
            Source: PO-ORDER-PURCHASE.exe, Mey1544c3sdF24wfga/bUaoLrDcPcDW2GrmkV.csHigh entropy of concatenated method names: 'FwuITuwTP', 'WX70Tct2M', 'XUYhkqOSO', 'qnbvrly37', 'wxH73wZX6', 'FgMEGf6LU', 'JUKOanI8r', 'aFns1asEa', 'wMK6UL83W', 'mFxypqM4A'
            Source: PO-ORDER-PURCHASE.exe, Oxleovf53K8vRiVmAP/GtDdZcr4dGNWLJXDUf.csHigh entropy of concatenated method names: 'esd5F24wf', 'SaanRED89', 'LvHPIrw1r', 'x74NxWsZa', 'f16SV9Zae', 'LJVQxG13o', '.ctor', 'ogbCZtTudw68rgdsEm', 'XkRJFT9MpTKeiTXWvS', 'xdkhu3bF7mtYC0hoj7'
            Source: PO-ORDER-PURCHASE.exe, SPAbhQ8mPamqqmaHntK/VE34wv8owiK1Euf1lXi.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'Qo3dpnj3L5', '.ctor', 'XXUkZfJ7S1S7XTXNUc8', 'bhftLUJIn8FaHN9Sm6B', 'ByO2KPJCmNQgC955gKj', 'iqmM7UJ2PlLUomrrJjm'
            Source: PO-ORDER-PURCHASE.exe, JHcWbt81SjFZasfrMdP/a6LrrL8gUWbmUdK0LCo.csHigh entropy of concatenated method names: 'V6lQz66mTH', '.ctor', 'FfmfIUJkmmgDSC26wXX', 'Fpnfg8Jrpa3vPktTfnD', 'A1cpPVJW8uCrDpcvF4t', 'YPAaTOJUlvLeR2cE4eU', 'h0K4XgJHWQt66pZXfuE', 'CiycPDJTwGH3kyyQn7Y', 'u2mWKeJ9deuk9HNoRaj', 'Tfq75rJytMYiS6XExIP'
            Source: PO-ORDER-PURCHASE.exe, FOkfyj8yrxI91TADsIX/hs4YtG86mXL6yxBxilh.csHigh entropy of concatenated method names: 'ersQ1Rn3f4', '.ctor', 'oInBappEXwvDtqH6R5X', 'No9R4tpqDLM0T9FSdNI', 'd8uhLLpz2UM5h7LEgYR', 'kcZ5xVJKuRyDkWxfPr8', 'mTApQaJNhvLTHEwHI09', 'dHkafnJZEB6Cpc7pwCg', 'lSSxqfJvQecHFOEnPgK', 'D7VNKYpfbLrOpR1gJrX'
            Source: PO-ORDER-PURCHASE.exe, bRdGJejLKUioEmTNg27/LJRi9JjK9pMBT7nobvx.csHigh entropy of concatenated method names: 'mhSqY38Vek', 'YLOqg8vgr2', 'f6jq1jwIM0', 'FciqRSOGbt', 'JQgqV4ZmIf', 'lOgqo9GEB0', 'yEPqmBCm4o', 'L5nqCJ5YTW', 'ht2qMdlWXf', 'z0Jqz3p8Om'
            Source: PO-ORDER-PURCHASE.exe, gEH5mqjyJRoOh2MOsEy/TdkQF9j6B3JC8hFQi5g.csHigh entropy of concatenated method names: 'J5RqLskPCl', '.ctor', 'Vo5sCJVpCdcmrO3ToNi', 'qe6ep9VJ4v1hVw3WU3k', 'ylt1XQVtwg5UE2NohDv', 'xTxY7rV1ePgag2Po5Dq', 'F3qRwfVlKKTbLEsZQIu', 'XLHhacVmvouL6Ht4mOI', 'XJq1rxVVnDgr6u1je6W', 'cMnFBRV8P5vRwFWwcux'
            Source: PO-ORDER-PURCHASE.exe, uviaAZjcVpdysGAFfW6/Gp3yBqjsZS4fOEA0aWv.csHigh entropy of concatenated method names: 'zZRqKEO9qL', '.ctor', 'Eo5UMGvFPr3wN6uvMJI', 'VH7ZIQvEcNGSoNqUKe2', 'vSgFEgvqJLVbOFPeOda', 'SY9VDAvze1XAwaOK0hd', 'QwCKVbVK0i2Ud0rn5Fw', 'si3iD2VNnhihI936Gcx', 'BlTUXqv0t2h4T4wsv7p', 'gXxLyPvfxw1Xg0BdwTZ'
            Source: PO-ORDER-PURCHASE.exe, RHT90xjOIG3OnypacgC/Uoe4j8jwufHnMhxXIhc.csHigh entropy of concatenated method names: 'Nkrq2o0WsJ', '.ctor', 'GoJ43AvYAFvBANAvN0i', 'vUi5DxvjLgjBgBkflxq', 'yS8jm2vQUf3GNvfP0GJ', 'Qc6Cq0vLCshWIaVERBm', 'TGDYRcvXEknDcIRTT1M', 'FI80EXvdE3MZJZ2efal', 'RAq4ZLvoilxI5y4kOgp', 'um4hKcvGha7SngKTPfK'
            Source: PO-ORDER-PURCHASE.exe, TTH4gojEaoRmpfWNZ4g/PE12mij74CjiLWD7F2W.csHigh entropy of concatenated method names: 'yu7qBwv5Up', '.ctor', 'LNQQD4veSvKgc5B2ZKi', 'jpY0hOvaDfd1QK0WwYU', 'rRMWNNvRipm0MTef4De', 'RdQbURvs9JCSIScXPDt', 'Tynasgv4AKpeCS7RWIe', 'hpiwW2v349KSeegtklC', 'yx8ROPvh93B1ujq4Lwp', 'WnxBaevBpO7nkXAT946'
            Source: PO-ORDER-PURCHASE.exe, xNO2IZGPmZ0GmZi4RBu/Hni79GGu6WZm67FcSyg.csHigh entropy of concatenated method names: 'NnldSCehxM', '.ctor', 'oj437PtANDT4s110JWb', 'vE8g6vtomVoT9CxkvZ9', 'mMiYbvtG9BK0G3pqvTO', 'iQkhNytYXytYysMbqvl', 'jb0frVtjrOrBjnOl4iX', 'Q9k88FtQp27TSEFwTk2', 'yuJ3L7tLVU1q3QQiCCZ', 'rylWIvt3xBD0E9FD72O'
            Source: PO-ORDER-PURCHASE.exe, wMv7m33leKwoXk4g0E0/zOUxh73JWqDTVlX4OsY.csHigh entropy of concatenated method names: 'CUG0cYHiFH', 'pJK06CcLGR', 'tXJ0BjhQ3R', 'glT02ddAxY', 'pnK0Lr2eVT', 'h200eHi8bR', 'wG70gJNyfP', 'wN201TuQOD', '.ctor', 'VL90sm7oYJ'
            Source: PO-ORDER-PURCHASE.exe, AL9pDP34A5oE7FCcYiU/lJM4Hi3D70UCIcSFKrK.csHigh entropy of concatenated method names: 'OQM0S6i3LX', 'fNC0QQcdLI', 'OEa09VG1fP', 'b0N0xrgcdU', 'Q5I0IoiOfL', 'u7V00f8UX6', 'pcS0hvRf2l', 'J7o0v1asF4', '.ctor', 'FEV0HovySv'
            Source: PO-ORDER-PURCHASE.exe, Uqw6JK3fiIoQa34X1ue/aCN1Qy3rRxiASXmNLiM.csHigh entropy of concatenated method names: 'YWc04LvVMc', 'X5m0JjUmF3', 'Jrf0TIrumJ', 'feD0ZZJV5f', 'TYl0iLYpiH', 'Ugp0AQkdWc', 'Rmv0qoeger', 'thY0XiRmEP', '.ctor', 'pQO0Dy4NXw'
            Source: PO-ORDER-PURCHASE.exe, m8Mg6Z3aI0bGKIoXGXe/Vhr3OQ330BC6FBB12Jc.csHigh entropy of concatenated method names: 'khfIRTKxmx', 'xwvIVvE7X8', 'xdRImk2do0', 'VmrICckmHj', 'rUUIzZDIEP', 'DyO0pCoIk0', 'DIA08bHpE1', 'plV0GM18hY', '.ctor', 'CwZI1QpRgn'
            Source: PO-ORDER-PURCHASE.exe, e3Z56O3F48dLtKtmYuL/vTybUQ3G7NbfLd9AWkS.csHigh entropy of concatenated method names: 'RuHItqTOlu', 'RWkI7R9l8f', 'lTuIwqcA60', 'OhoIOWtNhA', 'cl5IcwfDej', 'RWSI6cDOVd', 'JPBIBrBAGB', 'eQlI2lEGxy', '.ctor', 'q21Iv4LoHF'
            Source: PO-ORDER-PURCHASE.exe, bVhD4HGYXTkUts76eSU/NKj6tJGeRe2dyvG4gNH.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'pTcdKTuJmv', '.ctor', 'IHZlow1FIgW1Uqibuql', 'NGMa3E1E4rqDwJrFC9h', 'G7J3C91q4eFc9keBoVJ', 'd991xg1z73PRmFpbYs2'
            Source: PO-ORDER-PURCHASE.exe, HKmwMUG2ZjVipnWp6ru/QvDwoeGBG7hP1lCZK73.csHigh entropy of concatenated method names: 'cLFd2XkfS5', '.ctor', 'KBp29F1YY5KB945Fxks', 'tsZRIA1jOhspQGDWHmu', 'LYYNHq1QXafpGl5IxJ3', 'kZX1kE1LJR1slv1dbCT', 'Yhj3my1XTPoBuj5O3S2', 'QebZkd1ojFco6yfj3J8', 'ydQmDq1GSn6Y9ITuSAi', 'TF5Si01dj93UQSbAlve'
            Source: PO-ORDER-PURCHASE.exe, d2PTKyGy0IBaZvZIx6V/IbUwc4G6iPYUxL8XCi0.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'Mu8d6dpCIK', '.ctor', 'ETJJPF1shd6ssSyZYLL', 'EPw3c314lDnWSkSIfKn', 'JG1vI413uqh0OhSqD9Y', 'zV5p6v1cnyOOfjAP4mJ'
            Source: PO-ORDER-PURCHASE.exe, ByOAX2GEUOnkOgvS3gV/pIJeS0G7KaQLynTgqVf.csHigh entropy of concatenated method names: 'EO0dww03vY', '.ctor', 'IsZm2r1To1ZQBvDYJLL', 'uUoIee19j03N3NRbcCv', 'eqHbUY1bMilvAIuadQt', 'MkO9SR1ijGWiq0qB1j0', 'pcSEKY1n0UL0PpxIL0l', 'tSBbBl16hRit7JXgy28', 'dhfHJY1ULoaEhCIZnfR', 'OfD9Hr1HMCv2GgnHgJq'
            Source: PO-ORDER-PURCHASE.exe, ayaJYv3bUJ0QLj8jxnt/aVGPqe3Al8fbvnCMNsf.csHigh entropy of concatenated method names: 'wwdpgr44KOvwU', '.ctor', '.cctor', 'DQW2hlOC9ETmbGQPWla', 'SpvPUDO2gCwqa0mTUC1', 'eT9GNVOh7VSA6HHcqbQ', 'N6SqQuOBkb4XPjtExTa', 'FWeLe1OerIZMDRRMHdn', 'M0FoI6O7XeLHpJInVqN', 'xpLn8vOIHnwRaMnd4i8'
            Source: PO-ORDER-PURCHASE.exe, LM1LWB3iPNm08Mj1nMu/xSVue13klOvCc8IFDrq.csHigh entropy of concatenated method names: 'hsPWideNy6', 'hiRWAWtgPe', 'T5tWqmDAoC', 'OfAWXgjIyZ', 'GCyWngXK6X', 'etFWuoPE5W', 'xDLWN8sb1b', 'vUsWHGRtra', '.ctor', 'H0yWkncsTl'
            Source: PO-ORDER-PURCHASE.exe, JrOj0S3Zi9nUwewuJ0p/dKmpyb3TjstPUrdBkvh.csHigh entropy of concatenated method names: 'l670z73HlH', 'k6jWpjMeTJ', 'SFnW8asrZp', 'Xx5WGx8Sh3', 'Mm7W396Xwr', 'FdSWaVtYpi', 'UxyWf0NEvi', 'afnWD5fSTc', '.ctor', 'cYq0MUyrUO'
            Source: PO-ORDER-PURCHASE.exe, X5qYcKGUd4dlqLx9tEq/SqUcR2GxMIHTOKCWKE3.csHigh entropy of concatenated method names: 'bmTd0cWxYQ', '.ctor', 'pwourg1poJOQmAQXLy8', 'osEDPP1JBOqqORYpn18', 'C7XaJe1t7Jw0M5Xyu3u', 'vlhp2411SqK7aUfQi3d', 'p3tVAt1lCqoMhe8k2W8', 'YHgBI91mwqLbHX4RUgo', 'MbBX251VjeUhHMPvPKH', 'dnEJd818mnU5qnu5YaR'
            Source: PO-ORDER-PURCHASE.exe, vlEcIbGf7UpVNcoJWuC/a5hMbuGrjjmIM09NC3r.csHigh entropy of concatenated method names: 'rT9dTMiqNK', '.ctor', 'ivDa0CtV3yme2YIILab', 'zcI0jjt81I5OSLRqUoO', 'cYTRoAtpC9QwfZgCKlf', 'RRRQi8tJSyrjns5RGdB', 'rvk0cNttLwi7hvidtQI', 'wEYdb1tZNitGljhJADI', 'lFg3yWtvqYXGIsbldU5', 'a74hcht1f7HX62JHUK8'
            Source: PO-ORDER-PURCHASE.exe, nVwHHMGFPMaTMOJmAYk/jCcXJ4GGsMDkthOfdvL.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'IPBdrqbA1Q', '.ctor', 'CLVg6UJguZUAeatqC0j', 'VADtLVJuxIyXGvSgxTe', 'tjhjEXJ0w87W5kDbsFH', 'i5QBKJJfNKLbrRfSoCc'
            Source: PO-ORDER-PURCHASE.exe, YG5PHlGpUbb3aFl6IPW/NMRTfL8z8VHwXXvMnLw.csHigh entropy of concatenated method names: 'gqQdaeI2Uh', '.ctor', 'vofbgJJcNhgDNLf90Vj', 'Vws4iAJAbMjnk5MFN2k', 'B6g9kxJoIZowLIhh2RL', 'aUbV4yJGaFYttQmY7hb', 'otROLBJYBly8LMIvliP', 'Uf7cAMJ4fMMf5RYZR2W', 'aGpbbNJ3UVauADhtmQl', 'e5hgEsJjOHs4BEeGeEn'
            Source: PO-ORDER-PURCHASE.exe, N7VTnhFyb8KmhIwxADA/KEyF2CF6hECvXrGLDvL.csHigh entropy of concatenated method names: 'Ays91eMfTs', 'j809RayMCj', 'pcB9os7QIm', 'vEP9miuaEw', 'dYI9MQlVX4', 'P9J9zOJffY', 'mDoxj1wodN', 'F4Px8jFkES', '.ctor', 'Dgs9gnZrUW'
            Source: PO-ORDER-PURCHASE.exe, caQibcFcmd3bIy3FRkp/mwT98HFsVnvQf8tvGsp.csHigh entropy of concatenated method names: 'i8i9vNfRes', 'oy19tR59X6', 'HUI9EQLwAA', 'WJI9w0TE8G', 'rdU9sEQAee', 'MMq9cg6kUn', 'TmL9ybGrEY', 'nfo9Ba7B9J', '.ctor', 'yHC9hR4SOZ'
            Source: PO-ORDER-PURCHASE.exe, lJQiRPFOOBTBHZ3JgrX/iLVaUbFwI4bFOBphAct.csHigh entropy of concatenated method names: 'g7L9WPsiXK', '.ctor', 'gR6cI85DAg1tetv5jyT', 'EFG1BG5xXUeFTWMco3l', 'IwFNxG5ykdQSi3wIZiD', 'V9jc235SZCxs5HVHkTi', 'b7D7ft5kBSastD7v90r', 'LyRTB35ruwdepPIM1w5', 'qKwmTq5WGs3PoiimcUD', 'mduadI5OY7cOau1K6vT'
            Source: PO-ORDER-PURCHASE.exe, wsdVliFUnftgrsettB7/pPYWV1Fxlb2VZlEAQwG.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'vq39NLn6MS', '.ctor', 'ILkGwbmYZqRaGTo0j4T', 'mDHk1qmjM3D2SWeBfYJ', 'xSOBbBmQrVJm7U7qsrr', 'FtQpZhmLIJ0oJoRU6Cy'
            Source: PO-ORDER-PURCHASE.exe, ULCjibFH3A34tFSECZd/pMPiOUFNXYoFENqq4lq.csHigh entropy of concatenated method names: 'Wiy95dVXK2', '.ctor', 'TPA9N0mITtJn3oSo1kt', 'lNRXn8mCOJQlOCLsjam', 'OjDhtem2tsr0hadK3rc', 'JJs4aJmhwr0TAbDfVGK', 'uQjnsvmBat4AB7UlgBw', 'zqOOPYmeAxnyvbk2lIW', 'Me7fJEmam5BQGWHg6Tu', 'TFfsqNmwsKqqmlcAeyv'
            Source: PO-ORDER-PURCHASE.exe, u4wMyD88aR25SuNP6sM/m758bm8jbx0vQIBbyDJ.csHigh entropy of concatenated method names: 'kFMuZSoOts', 'KBQukhFlaq', 'iO4uiVmuyM', 'fMPuAnxg1y', 'BZ4ub3sP6n', 'LmTuqMrpGx', 'jSsuX9qk7H', 'caQu5uYdjx', 'ycNunEyGMo', 'WHQuuT5nNl'
            Source: PO-ORDER-PURCHASE.exe, cJpvUh8pvg5ERP45UDM/lqoocUjzpgOmVVrlnXd.csHigh entropy of concatenated method names: 'P7HnyuUdZo', 'cgUnBalf1Q', 'I3vn2ixaBD', 'NG2nKd3FZf', 'E9EnLpCpx2', 'iUineTeWoL', 'piLnYIUKLs', 'QhqngGTmBs', 'q1Zn1sXMc2', 'W0RnRbtowo'
            Source: PO-ORDER-PURCHASE.exe, ODLTELjMDQqCNYa4mVu/BneaJkjCFFVC1GDmV6K.csHigh entropy of concatenated method names: 'MQLninfCJR', 'NaTnAnRPwo', 'gVenbs6fGc', 'hXInqsKaOZ', 'XDonXdh468', 'HdZn5KVC5P', 'loDnnLl1ei', 'AMknu8WVKb', 'muInP0xD5Y', 'rQrnNbZQf0'
            Source: PO-ORDER-PURCHASE.exe, Cf8YkLjmIwJmMDHHkKL/CogW2EjoSCMT93Mqr3S.csHigh entropy of concatenated method names: 'QfE52Zeh5f', 'tbk5KaowYA', 'SZP5Lhkxe2', 'mcD5edLyaq', 'JbT5YBUyKg', 'qCo5guDiqm', 'gVf51kFsn5', 'Vys5RCpXB1', 'Egq5VOTVaC', 'TyP5o7S5vF'
            Source: PO-ORDER-PURCHASE.exe, WyybFCFbrGC7SWN4gma/LKwj26FAlVPXKlsP0cI.csHigh entropy of concatenated method names: 'l5I9ZDnN4i', '.ctor', 'qiydhjmt2ZFwh2WTiqN', 'rbXLrSm1uNDamY86aIg', 'PGd5jumlSumSM10Zd0e', 'gUy3LgmmUrn7X5eev5K', 'I0RPTVm58caggeaTHQ9', 'O0QuDdmMBGKxIdXTuj0', 'bvt9Q2mOAyarDnwLn8w', 'PTvHAUmPrfI7fd0PwQG'
            Source: PO-ORDER-PURCHASE.exe, MOuIRtF86wdlkpAxaJC/cZgbLcFjgnqgK5f2gmp.csHigh entropy of concatenated method names: 'WBS9pT22j5', '.ctor', 'hvB68el9sFUMr1c4S5T', 'xMUjgWlbxWQuJAlvOqr', 'a5cCRHliuPtqa1QRQVN', 'sIROXYlnF6I3gWwQmOp', 'cr8pMQl6ZgI1Sg9LLtt', 'Ay6ZO7lwdopLexHY3Yr', 'fZHV65l7TiWva1tfQKf', 'QJJUTxlH5jXLsocX243'
            Source: PO-ORDER-PURCHASE.exe, K3aVV1Ob1TZ2eF3Rkl/yAqQP4wJQNYX4Vu9gb.csHigh entropy of concatenated method names: 'j4orRKsCEb', 'BwcrV4iPYU', 'OPTrmKy0IB', 'fZvrCZIx6V', 'EP1rzlCZK7', 'eEKfpmwMUZ', 'guYf8nYJmX', 'qGkfG8Jetu', 'JWVf3MdQ98', 'UJBfapBKj6'
            Source: PO-ORDER-PURCHASE.exe, pkiRgRt10RQZl1QGZw/Mp86BFvXraZtedRbNP.csHigh entropy of concatenated method names: 'MdGrrmQZr1', 'sBrrfTSMNB', 'mm6r47FcSy', 'SSNrJO2IZm', 'NusrTYJpkB', 'UsjrZgxVDu', 'N2qri99HrT', 'eE1rA5objg', 'PTxrqR0toU', 'AlnrXgxQxn'
            Source: PO-ORDER-PURCHASE.exe, nyHKqqhdeX8Db2eDxl/doQOmGWWdyJrjLoZEi.csHigh entropy of concatenated method names: 'NiDa6EN3iA', 'aB1ay3SO7a', 'LHfa2PocjU', 'mAaaKKeRCh', 'amVaerdjka', 'eAdaYj8pMj', 'bsca1hdqZ5', 'bX5aRxRD9w', 'uf1aodE83i', 'fPOamhNmfU'
            Source: PO-ORDER-PURCHASE.exe, v82Fus0xAN0p6Bbdpm/YyECowI4mORiUOO02s.csHigh entropy of concatenated method names: 'cYb3CLQPf0', 'fQF3Mp3Aey', 'VdYap2LyCX', 'nPTajgFtq9', 'a6LaGrrLUW', 'pmUaFdK0LC', 'bFZaaasfrM', 'yP5arZCUHU', 'cMwaDjLb1I', 'Nt8a40HEXE'
            Source: PO-ORDER-PURCHASE.exe, l2o3XxU6IvxZTOc3Dn/anEjaqxAPOPeK8CsMc.csHigh entropy of concatenated method names: 'yh83WSfIrQ', 'dvu3hP2LDq', 'hlt3tptd7o', 'd1m37OeNVw', 'yZ03waKwf8', 'Y5B3OanhDy', 'eZ03cSoBel', 'G3g36EYP0S', 'uhv3BFCJOP', 'hs432YtGmX'
            Source: PO-ORDER-PURCHASE.exe, ARWU6b89TQenXjZqh5F/S7nWA98dfm2u3Sdchfs.csHigh entropy of concatenated method names: 'IvnQE5VpyS', '.ctor', 'cki6CdpDgvLDv1oJbNS', 'eS2vWipxpUNsoFHRDUc', 'LmkLxopyujS36VgxUZM', 'RmNVxepSK6ujK8RBEis', 'eCT0SGpkeLr1pTcbPI6', 'NxlVY2prJB8RJQGJG86', 'CXVtA8pWCi9sCIsqfus', 'PLR1VvpOZ5r1tTxjEkJ'
            Source: PO-ORDER-PURCHASE.exe, v4qvQW8Q1KbN1h2Fkyo/U8mc8y8ShcjAKKOFNtn.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'NFYQvMnDwE', '.ctor', 'gVR5USplD8evgML6bZ6', 'WIUHV5pmbqmgxmigvrO', 'T0XFq0p585PWpOa7Lfl'
            Source: PO-ORDER-PURCHASE.exe, zwF0CC1EQnyvthKSHD/UQHWgqgPtdmHO14iaA.csHigh entropy of concatenated method names: 'Bau4T8A3Ek', 'SAV4ZnBX00', 'zyx4iVxwh8', 'qix4AwfPpg', 'EmC4queAHU', 'p204XEVeu3', 'HbI4n2J4e2', 'bWB4uuXbdG', 'YrP4NwSSq4', 'EHj4HxBVoO'
            Source: PO-ORDER-PURCHASE.exe, jIeGccYvURi643ZyiM/dFT5EHeLSmItqZCLdX.csHigh entropy of concatenated method names: 'fWMD7CENF8', 'O2iDEw8glM', 'CGkDODnElD', 'zQJDsHkQ9r', 'rA5D6nBDhk', 'JsRDyuSwDh', 'udhD27FXkB', 'vwODKHmHoS', 'GL6DemQlcl', 'rExDYKGlfI'
            Source: PO-ORDER-PURCHASE.exe, RNOZBS2WJ88kL9vctj/zq9DoFBQon5EfI9JZ9.csHigh entropy of concatenated method names: 'mGtDGCrh8c', 'LKwDFj26lV', 'BmyDaybFCr', 'dC7DrSWN4g', 'C96DDe72d8', 'qkED4RoHio', 'JCrDlFqgEs', 'lUVDT8tPBk', 'gx9DkBY452', 'jqsDip91QN'
            Source: PO-ORDER-PURCHASE.exe, INf22JyAxgv5xRECF6/CBMcET6XctL1xHFp4B.csHigh entropy of concatenated method names: 'mLufwerITN', 'F09fO6Rymf', 'qOlfc7cf1h', 'y5if6qHRmu', 'qNHfBSjrFt', 'MVbf25LJP4', 'LG5fL4mDoe', 'xHsfeWYaUq', 'ArWfgUw0Is', 'iOZf1NncZp'
            Source: PO-ORDER-PURCHASE.exe, qlgK8DFtjjmN5kby5p/EgBJEwG1huWo07EUv5.csHigh entropy of concatenated method names: 'vf58Ybov9', '.ctor', 'YnqGTWvhl', 'D90FKEqok', 'qbh3gBJEw', 'ThuaWo07E', 'Bv5rqlgK8', 'htjfjmN5k', 'qyH7rBmy3xXmJ501p4', 'WmjcjO5sSbVx3xROEr'
            Source: PO-ORDER-PURCHASE.exe, DovfCVjnLeE2vH2p85n/EGw9c6j5aBcdDd4tSIh.csHigh entropy of concatenated method names: 'YQ1izPMUsK', 'oW1ApW2mxD', 'nt9A8XfBc6', 'GdtAGE9LT3', 'Ao4A3GVDeK', 'DAJAa9ahR5', 'q91AfgcCr4', 'SE0ADH5V4D', 'JEKAJpSx67', 'akeAlZcUUV'
            Source: PO-ORDER-PURCHASE.exe, U9aR7GjXfFUv0FqNiGs/weQql4jqy4aqw4Sxu35.csHigh entropy of concatenated method names: 'gFwivvwJO1', 'VbQituqRgI', 'VIdiE0cI4d', 'MLtiwL4XXx', 'xCgisIlqCb', 'YBUicPO75w', 'BsSiy026RB', 'cT8iBEmjMh', 'QCAiKGVuuE', 'xhviLXHNS7'
            Source: PO-ORDER-PURCHASE.exe, oLbQ3KjbM8RMJFgpCdC/a19KTajAIE3AwjN9Kjp.csHigh entropy of concatenated method names: 'SnEiTxohVs', 'OtxiZ84v1v', 'CxliinXlL8', 'Gb3iATYP7d', 'hbsiqMGNrn', 'IA6iX6DPWW', 'N7xinaUaEK', 'OSEiuduwYw', 'CQsiNBefMW', 'G9wiHMnJvh'
            Source: PO-ORDER-PURCHASE.exe, qg5onFjirhKtLSqKCbI/mgljOQjkj1NY9xY3mhO.csHigh entropy of concatenated method names: 'zH7keHjkaI', 'CMFkYSTiqp', 'EuFk1XUJ8U', 'gJqkRTVSfH', 'GrJkofkBEn', 'PVOkmf07oG', 'gXckMr6SOn', 'EMIkzKZ5eG', 'lE9ijHgJpE', 'PHhi8TGCyk'
            Source: PO-ORDER-PURCHASE.exe, f2KrCAjl1TKvCNfdAFB/B4AVlJjJvnMlQlPmOOw.csHigh entropy of concatenated method names: 'U5wkGCmSAh', 'oL3kFL7Nb6', 'daakao8GTQ', 'BpZkrTl5Mp', 'v9ZkDfdKae', 'UlFk4Op9um', 'BHBklfODK7', 'sL0kT2OTAs', 'wmMkkITTOn', 'pxlkirydlW'
            Source: PO-ORDER-PURCHASE.exe, BgMKh0j4UWBBC05dan1/kipZR8jD9ITgv4HkY39.csHigh entropy of concatenated method names: 'aW5ZAn2ERV', 'shwZbLvC79', 'RLDZX0d51s', 'tnSZ527gpk', 'WYkZuVmd1Q', 'NfUZPT13S3', 'SqeZHJpwEd', 'paBZSbKjyC', 'bv5ZdgISVV', 'vF1Z9osuUw'
            Source: PO-ORDER-PURCHASE.exe, wROvWoF2nMTJbMftMV2/mA2875FBm2Y5nx1OWC1.csHigh entropy of concatenated method names: 'UOVxDeelrJ', 'oOTx4p8eNI', 'eHtxlFfY8h', 'wotxTwe3nG', 'mxdxkIIk0w', 'eatxi04XZ8', 'yxBxbyk5Wq', 'TmGxqjeDjD', '.ctor', 'dp4xfn73XD'
            Source: PO-ORDER-PURCHASE.exe, KXa9yym75UX1Il63L8/J3LO1jomPGEgb0qHOL.csHigh entropy of concatenated method names: 'Yj1JJnMupV', 'cPqJlel8fb', 'MaJJZYvUJ0', 'yLjJk8jxnt', 'D6DJATtnno', 'bXyJbchQAl', 'TdoJXups5w', 'zAyJ5XfK67', 'fZCJuxUnLq', 'p3iJPtAR6K'
            Source: PO-ORDER-PURCHASE.exe, qmEv4HFMbkhbU23SMCW/mCAm07FCxdFFJyQ566U.csHigh entropy of concatenated method names: 'XfxUKDk4JZ', 'aUiULSmdGG', 'u2jUYQ0Yyb', 'xRyUgZlF4B', 'rSPURwqfoT', 'iy5UVVKT6H', 'A3GUmJ4ji2', 'K3FUCm51hY', '.ctor', 'zccU2xVX4h'
            Source: PO-ORDER-PURCHASE.exe, EKaBTCFmLbDnhq8dmPu/bmxMo7FooxKQSoJEa6C.csHigh entropy of concatenated method names: 'PAaUUcAvPS', 'AqHUIBvFqO', 'KkwUWkgXhd', 'ry2UhI5wrW', 'YRvUtb14VL', 'yysU7rl8ZI', 'kCSUwx2l4A', 'U97UOF3LNl', '.ctor', 'bcsUxh7nDf'
            Source: PO-ORDER-PURCHASE.exe, dxy0N2G9oyasE2JUwRF/ej8UH6GdtdxAJ9wLIxx.csHigh entropy of concatenated method names: 'eX0wGkydgQ', 'eWYwE0QQsm', 'Ajfw9CuZB9', 'n5MdxmKdQX', '.ctor', 'hPK29Vtze7sNX3117DP', 'HyJoyE1KtOlyHRMvGKa', 'zvOyC41Nm8TpavX3EoL', 'hm70Np1Zm1aqvr53hID'
            Source: PO-ORDER-PURCHASE.exe, OC8i6n9yrAr23kkhiY/tpYB8idYeR3HSxAyhG.csHigh entropy of concatenated method names: 'PKO3JFNtnN', 'iqv3lQW1Kb', 'S7n3ZWA9fm', 'Ou33kSdchf', 'xen3AXjZqh', 'sFh3bSQSnT', 'uxL3Xw9M1Q', 'Yl03535q8S', 'epr3ufVfX6', 'Kb13PW0dEH'
            Source: PO-ORDER-PURCHASE.exe, t8uc2q38D2m8Un5lGW3/VKUjgj3jbNGb2WtD6GZ.csHigh entropy of concatenated method names: 'gN6I5d4FI5', 'FFRInC3w9a', 'Co8IPxvcrw', 'TfIINa4qjf', 'JuXIS0rUnl', 'QtyIQbNV9y', 'jp4I9iV3K6', 'vIxIxAu98m', '.ctor', 'BsGIX9f5x7'
            Source: PO-ORDER-PURCHASE.exe, Ksvr8f3p8mPwwBKNkOB/bVpfQSFzfd0VUKTZojh.csHigh entropy of concatenated method names: 'UaUIFZBkRQ', 'KWuI3swe3L', 'QoKIrt0yhJ', 'cGKIf9m43E', 'YxdI404tLs', 'KPuIJ82N0S', 'gd4IT2PeLw', 'E9AIZvGxRU', '.ctor', 'TWJIGLHlKa'
            Source: PO-ORDER-PURCHASE.exe, Oiw8glF0M9EN4XdBT0G/q6aaXTFIVraWMCENF8B.csHigh entropy of concatenated method names: 'F5r9QDdZnf', '.ctor', 'iwnHTtmuouxAU9Vdx8m', 'w6C5BMm0Z63U1fphW80', 'TDK0CfmfBgfh71nHl7K', 'mFnRrrmFASadgTspRpd', 'C0QPDAmEld0lL2BoDp8', 'vx2a2jmq3Ja3gsvTnjg', 'Ybnesamd5QamqgUBppx', 'zEgLIPmgoPiR8WOcgRY'
            Source: PO-ORDER-PURCHASE.exe, JtwuTuiwTPoX7Tct2M/RuTMJBkBmuFiGvyctI.csHigh entropy of concatenated method names: 'xE983ZpgWu', 'gIe8aKCbrL', 'ffI8frJt9O', 'ce08D2RQWw', 'xK58JlskID', 'p2i8lJ8yDT', 'rbi8ZvTcL2', 'qGU8kTNpke', 'mnL8A0NGon', 'GlV8bhnUjQ'
            Source: PO-ORDER-PURCHASE.exe, Ml3rewMA0bjN0aygdF/cGopFCCO2Z6afFRJvS.csHigh entropy of concatenated method names: 'ToHJWiJvOx', 'AIKJhsJ2V3', 'QQbJt2GW2B', 'YDTJ7ik2pi', 'MGFJwUKTxf', 'HuBJOL5vCV', 'Xe2JcoInfA', 'q73J6wdjGu', 'jESJBjiAK2', 'uFdJ2eP6xK'
            Source: PO-ORDER-PURCHASE.exe, e9Zw8yjha9yFPfxlvWj/aSq36EjWjPCR6hFFecs.csHigh entropy of concatenated method names: 'yTNq6jT1Ba', '.ctor', 'Oe5WmcvSlqGj4uYNvph', 'JEiOXxvkH63r4TnVlr5', 'meQqk9vrqb9u2VP0LDa', 'yd16mGvWMHmMtBGHBFH', 'fFjTbvvU1EoCDFnBK80', 'aLNKgIvHETJMRvmCOkm', 'eONgtKvxI4EG7ROgbaX', 'K34Z7Pvy3DHDeqtyOgZ'
            Source: PO-ORDER-PURCHASE.exe, Cv6CUsj0kG9Vhv8QBcf/fMKeCqjIMTriHRwdnFA.csHigh entropy of concatenated method names: 'x8EqcO3cZb', '.ctor', 'dLv5OCv1Orgde582Z4b', 'EZmd8GvlJnOxtxx7cPb', 'WarUHnvm6mAF8cVlXeM', 'HDPR8Iv5AYtVU6Bcn3d', 'g65BrxvM8AWJ8bNdFTo', 'RrtpIIvOvLuMpbygZth', 'cSajPNvJYk941KuTgsZ', 'huSUI3vtMLlDviqiU81'
            Source: PO-ORDER-PURCHASE.exe, yYjUMhjUALQ1nuNroBr/AP4ie1jxKt9fDCaiXRb.csHigh entropy of concatenated method names: 'rfyqsyc4lx', '.ctor', 'q9o4aEZzYEMITpMX9a4', 'TWUSynvKko8mOdT99BP', 'cbuXyKvNEJgkd5r08eL', 'Q0sVcAvZqqVLh3xLJvt', 'KhWH0dvvycGB0Ru5YIr', 'ze8mJFvV308bNOC5SSJ', 'bGTYHXZECqV9DhLHYAD', 'JpKwSiZqIQVWhtnyVZv'
            Source: PO-ORDER-PURCHASE.exe, Rv7IAej9XqEbghAQMKU/bPmLCEjdbla7AUXrEkC.csHigh entropy of concatenated method names: 'GyXqrCR6j1', 'aYaqfFyvZy', 'lwdq4Y2WVQ', 'MpIqJR6A30', 'd86qTU5vir', 'yxnqZ6Cnwt', 'nd3qiufxLt', 'SnkqASTZXp', 'kZwqqhcGFh', 'JWGqXbrKxi'
            Source: PO-ORDER-PURCHASE.exe, ct10VdjQXuiQ9pylcqN/yCTB6KjSpNVTWkvRWNq.csHigh entropy of concatenated method names: 'jNub5BBcEH', 'pofbnqiWEi', 'WNbbPrUmLL', 'YJdbN4SkwW', 'YQybS0Nqwc', 'dERbQ1hZn5', 'iVDb996CQN', 'VnHbxocUL8', 'klDbIM7WCx', 'iuyb0dYKUp'
            Source: PO-ORDER-PURCHASE.exe, evbhqZjPK8Qre0TupwA/L7E7QijunC95eEOVVWS.csHigh entropy of concatenated method names: 'D0oAWlfyTw', 'BAGAhYw43E', 'AG3AtyZUZR', 'JklA7PXaf6', 'RTRAwaUtG5', 'CKfAOmVnLm', 'a3YAccLThc', 'KFZA6sq2A3', 'eV1ABO6MSl', 'OQRA2gnohG'
            Source: PO-ORDER-PURCHASE.exe, IHI6Qs8iCKSrC89p3hJ/UKQwos8klbTGjqJJCAh.csHigh entropy of concatenated method names: 'FZGHtPVqQ1', 'fdFH7Qts8e', 'OePHEFYJxC', 'WGIHw56Ktv', 'uueHOmQi3c', 'TkaHs7UQoB', 'DTsHcS7XGE', 'KfGH6R4niE', 'DteHyMvooR', 'XYJHBxktf8'
            Source: PO-ORDER-PURCHASE.exe, a3g3EO8ZL9hSIvUW4Nr/Abh3s78TBUpgDTW5YHh.csHigh entropy of concatenated method names: 'nWNHfMxiYU', 'kaBHDZvlDm', 'mlBH4eLiNo', 'nmSHJE2L2F', 'grxHlsM9rW', 'bPwHT2aVIM', 'a7CHZ9fbL6', 'gZCHkg6Cw8', 'aDgHi4KH17', 'TpRHAUVv4l'
            Source: PO-ORDER-PURCHASE.exe, Fd5hPu8llExTK05scX2/vnP4Ld8Jr1IY3BZX4fP.csHigh entropy of concatenated method names: 'WqpNEHDrCe', 'qE6NwJRbME', 'hgnNONjCVU', 'c0iNshfDpK', 'xxINcjpSYQ', 'Qs9N64G9sb', 'XWGNyprSsJ', 'zrNNBsQbQ7', 'o0xN2533mH', 'v9jNKxCjFq'
            Source: PO-ORDER-PURCHASE.exe, GMiHHb842xDhEWqDR33/atwa588Da119afyr88H.csHigh entropy of concatenated method names: 'UVFN4RP2x9', 'FV1NJH9dGC', 'JmWNlD4u2P', 'JK6NT4QuBu', 'JtCNZWxURU', 'LBQNkShpcC', 'HJpNiMJlXx', 'm52NA9ha6Z', 'NuHNba4uDx', 'YrnNqhe2GA'
            Source: PO-ORDER-PURCHASE.exe, t1I3Kb8tIkY2tQnXiQh/JZaQRw8vhTA9gW9Sh3A.csHigh entropy of concatenated method names: 'T4vQBCJOLP', '.ctor', 'RjrRNrpRekyNRLXqSbg', 'sPIqulpsOmy8SwGSQj4', 'QMD16Yp4ln6d5BaJoU4', 'MSRJ2Rp3VY6fu71Ai9i', 'FJ2cmMpcKQFOcoGLOyy', 'j06jaqpAJYqsWrClCnb', 'SR2lafpeUF3vjvMiVps', 'p2GpCdpaO9YiVlMm0Av'
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeJump to dropped file
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswireJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exeJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vidoediswireJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vidoediswireJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\W