Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order_Pdf.exe

Overview

General Information

Sample Name:Purchase Order_Pdf.exe
Analysis ID:339377
MD5:24ab440ba14af239092dc2f4c04a4aed
SHA1:4f060fb538c3f5fba0b7e8e95bfc5c3f620ea190
SHA256:c213685d3005fbac05b0cd6b11a077f57cc4d50fcb762c7cab8a81ae7dec2043
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Purchase Order_Pdf.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\Purchase Order_Pdf.exe' MD5: 24AB440BA14AF239092DC2F4C04A4AED)
    • schtasks.exe (PID: 6988 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "JTEGfd5E6q9K", "URL: ": "http://WLcj6bxQ2J4N01Tk.com", "To: ": "office-z9@impressindia.net", "ByHost: ": "mail.impressindia.net:587", "Password: ": "aiCQx1fB", "From: ": "office-z9@impressindia.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.618083495.000000000308F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Purchase Order_Pdf.exe.a420000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Purchase Order_Pdf.exe.a420000.10.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase Order_Pdf.exe' , ParentImage: C:\Users\user\Desktop\Purchase Order_Pdf.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp', ProcessId: 6988

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: Purchase Order_Pdf.exeAvira: detected
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\gspeFYive.exeAvira: detection malicious, Label: HEUR/AGEN.1120329
                Found malware configurationShow sources
                Source: Purchase Order_Pdf.exe.6556.0.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "JTEGfd5E6q9K", "URL: ": "http://WLcj6bxQ2J4N01Tk.com", "To: ": "office-z9@impressindia.net", "ByHost: ": "mail.impressindia.net:587", "Password: ": "aiCQx1fB", "From: ": "office-z9@impressindia.net"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\gspeFYive.exeReversingLabs: Detection: 36%
                Multi AV Scanner detection for submitted fileShow sources
                Source: Purchase Order_Pdf.exeReversingLabs: Detection: 36%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\gspeFYive.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Purchase Order_Pdf.exeJoe Sandbox ML: detected
                Source: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                Compliance:

                barindex
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeUnpacked PE file: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpack
                Source: Purchase Order_Pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Purchase Order_Pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 4x nop then mov eax, dword ptr [ebp-24h]0_2_012C47A0

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://WLcj6bxQ2J4N01Tk.com
                Source: Joe Sandbox ViewIP Address: 192.232.223.161 192.232.223.161
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: unknownDNS traffic detected: queries for: mail.impressindia.net
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://RNjXxX.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.618336118.000000000314E000.00000004.00000001.sdmpString found in binary or memory: http://WLcj6bxQ2J4N01Tk.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootca2
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.le
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618273971.0000000003123000.00000004.00000001.sdmpString found in binary or memory: http://impressindia.net
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618273971.0000000003123000.00000004.00000001.sdmpString found in binary or memory: http://mail.impressindia.net
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249791058.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249663880.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249904573.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249562757.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFt$
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254353271.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/:
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253923636.0000000008304000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5:
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255018578.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT:-
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254937068.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx:
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFn%D
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsa
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254726496.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254353271.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623115000.0000000008300000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm_$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtop/
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtu/
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249308151.0000000008314000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/K
                Source: Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252076847.0000000008309000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.250813109.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.250813109.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0($
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252386933.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252541981.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252875664.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249322008.0000000008312000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comz-mp
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255075401.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deB
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.delt
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249519563.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249481844.0000000008313000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.-3p
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249481844.0000000008313000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.S3
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618061506.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Purchase Order_Pdf.exe
                Source: initial sampleStatic PE information: Filename: Purchase Order_Pdf.exe
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FBD8E00_2_00FBD8E0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB28D00_2_00FB28D0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB9FC80_2_00FB9FC8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB77280_2_00FB7728
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB3E100_2_00FB3E10
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_012C3D780_2_012C3D78
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA22780_2_02CA2278
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA30C00_2_02CA30C0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA18790_2_02CA1879
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA0FC80_2_02CA0FC8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA04700_2_02CA0470
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA4AD80_2_02CA4AD8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA4AE80_2_02CA4AE8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA12B10_2_02CA12B1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA53800_2_02CA5380
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA53900_2_02CA5390
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA30AF0_2_02CA30AF
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA51610_2_02CA5161
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA51700_2_02CA5170
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA57F10_2_02CA57F1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA0FAF0_2_02CA0FAF
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA4DD90_2_02CA4DD9
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA55E00_2_02CA55E0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA55F00_2_02CA55F0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_09FAF8980_2_09FAF898
                Source: Purchase Order_Pdf.exeBinary or memory string: OriginalFilename vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.613374809.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.611193181.0000000000A0D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameG vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.614320198.0000000001260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.626058184.000000000A310000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehXQWDkwjorXbZycVPEgxEAcKCNaVjkoW.exe4 vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616957366.0000000002E11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625668181.0000000009F80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625668181.0000000009F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621067126.0000000005330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616214968.0000000001350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exeBinary or memory string: OriginalFilenameG vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Purchase Order_Pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: gspeFYive.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@2/1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile created: C:\Users\user\AppData\Roaming\gspeFYive.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_01
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeMutant created: \Sessions\1\BaseNamedObjects\xhTzDDzutokrrJYCnn
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDA8D.tmpJump to behavior
                Source: Purchase Order_Pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Purchase Order_Pdf.exeReversingLabs: Detection: 36%
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Users\user\Desktop\Purchase Order_Pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order_Pdf.exe 'C:\Users\user\Desktop\Purchase Order_Pdf.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Purchase Order_Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Purchase Order_Pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Purchase Order_Pdf.exeStatic file information: File size 1156096 > 1048576
                Source: Purchase Order_Pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x110400
                Source: Purchase Order_Pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeUnpacked PE file: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeUnpacked PE file: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpack
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_008F5D84 pushfd ; iretd 0_2_008F5D85
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_008F54EB push ds; ret 0_2_008F54F3
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_008F6B43 push ss; retf 0_2_008F6B49
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_09FA3132 push eax; iretd 0_2_09FA3133
                Source: initial sampleStatic PE information: section name: .text entropy: 7.47999071167
                Source: initial sampleStatic PE information: section name: .text entropy: 7.47999071167
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile created: C:\Users\user\AppData\Roaming\gspeFYive.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: 00000000.00000002.616957366.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order_Pdf.exe PID: 6556, type: MEMORY
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWindow / User API: threadDelayed 8520Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWindow / User API: threadDelayed 1338Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exe TID: 6560Thread sleep time: -31500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exe TID: 6652Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMware
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: =l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: =l"SOFTWARE\VMware, Inc.\VMware Tools
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMware
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB9828 LdrInitializeThunk,0_2_00FB9828
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'Jump to behavior
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Users\user\Desktop\Purchase Order_Pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.618083495.000000000308F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.618858584.0000000004804000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order_Pdf.exe PID: 6556, type: MEMORY
                Source: Yara matchFile source: 0.2.Purchase Order_Pdf.exe.a420000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Purchase Order_Pdf.exe.a420000.10.raw.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order_Pdf.exe PID: 6556, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.618083495.000000000308F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.618858584.0000000004804000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order_Pdf.exe PID: 6556, type: MEMORY
                Source: Yara matchFile source: 0.2.Purchase Order_Pdf.exe.a420000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Purchase Order_Pdf.exe.a420000.10.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion14LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion14SMB/Windows Admin SharesData from Local System2Automated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing23Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Purchase Order_Pdf.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                Purchase Order_Pdf.exe100%AviraHEUR/AGEN.1120329
                Purchase Order_Pdf.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\gspeFYive.exe100%AviraHEUR/AGEN.1120329
                C:\Users\user\AppData\Roaming\gspeFYive.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\gspeFYive.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.Purchase Order_Pdf.exe.8f0000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                0.0.Purchase Order_Pdf.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1120329Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.comalsa0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://impressindia.net0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0($0%Avira URL Cloudsafe
                http://www.carterandcone.comva0%Avira URL Cloudsafe
                http://www.microsoft.co0%URL Reputationsafe
                http://www.microsoft.co0%URL Reputationsafe
                http://www.microsoft.co0%URL Reputationsafe
                http://www.fontbureau.comtu/0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.fontbureau.comm_$0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/F$0%Avira URL Cloudsafe
                http://cps.letsencrypt.0%Avira URL Cloudsafe
                http://www.fontbureau.comFn%D0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://RNjXxX.com0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://cps.root-x1.le0%Avira URL Cloudsafe
                http://www.fontbureau.com.TTFt$0%Avira URL Cloudsafe
                http://www.fontbureau.comB.TTF0%URL Reputationsafe
                http://www.fontbureau.comB.TTF0%URL Reputationsafe
                http://www.fontbureau.comB.TTF0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/j0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/M$0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.zhongyicts.com.cno.S30%Avira URL Cloudsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.carterandcone.como.0%URL Reputationsafe
                http://www.carterandcone.como.0%URL Reputationsafe
                http://www.carterandcone.como.0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://WLcj6bxQ2J4N01Tk.com0%Avira URL Cloudsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://www.fontbureau.comalsd0%Avira URL Cloudsafe
                http://www.carterandcone.coma0%URL Reputationsafe
                http://www.carterandcone.coma0%URL Reputationsafe
                http://www.carterandcone.coma0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                impressindia.net
                192.232.223.161
                truetrue
                  unknown
                  mail.impressindia.net
                  unknown
                  unknowntrue
                    unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://WLcj6bxQ2J4N01Tk.comtrue
                    • Avira URL Cloud: safe
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.comalsaPurchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://127.0.0.1:HTTP/1.1Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.fontbureau.com/designers/:Purchase Order_Pdf.exe, 00000000.00000003.254353271.0000000008308000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                        high
                        http://impressindia.netPurchase Order_Pdf.exe, 00000000.00000002.618273971.0000000003123000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designers/?Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThePurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/Y0($Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                            high
                            http://www.carterandcone.comvaPurchase Order_Pdf.exe, 00000000.00000003.249562757.0000000008315000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.microsoft.coPurchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.comtu/Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.comPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              high
                              http://www.goodfont.co.krPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.comPurchase Order_Pdf.exe, 00000000.00000003.249791058.0000000008315000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.comm_$Purchase Order_Pdf.exe, 00000000.00000002.623115000.0000000008300000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://www.jiyu-kobo.co.jp/F$Purchase Order_Pdf.exe, 00000000.00000003.250813109.000000000830A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://cps.letsencrypt.Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.comFn%DPurchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://www.sajatypeworks.comPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.typography.netDPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn/cThePurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://RNjXxX.comPurchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.galapagosdesign.com/staff/dennis.htmPurchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://fontfabrik.comPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://cps.root-x1.lePurchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com.TTFt$Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://www.fontbureau.comB.TTFPurchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://cert.int-x3.letsencrypt.org/0Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.com/designersx:Purchase Order_Pdf.exe, 00000000.00000003.254937068.0000000008309000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.jiyu-kobo.co.jp/jp/jPurchase Order_Pdf.exe, 00000000.00000003.252541981.0000000008309000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.galapagosdesign.com/DPleasePurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/M$Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/Y0Purchase Order_Pdf.exe, 00000000.00000003.250813109.000000000830A000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.zhongyicts.com.cno.S3Purchase Order_Pdf.exe, 00000000.00000003.249481844.0000000008313000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://api.ipify.org%GETMozilla/5.0Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  low
                                  http://www.ascendercorp.com/typedesigners.htmlPurchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fonts.comPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.sandoll.co.krPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deDPleasePurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.dePurchase Order_Pdf.exe, 00000000.00000003.255075401.0000000008309000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.zhongyicts.com.cnPurchase Order_Pdf.exe, 00000000.00000003.249519563.0000000008315000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.carterandcone.como.Purchase Order_Pdf.exe, 00000000.00000003.249904573.0000000008315000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sakkal.comPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://api.ipify.org%Purchase Order_Pdf.exe, 00000000.00000002.618061506.0000000003081000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      low
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase Order_Pdf.exe, 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://cps.root-x1.letsencrypt.org0Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comalsdPurchase Order_Pdf.exe, 00000000.00000003.254726496.0000000008308000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.carterandcone.comaPurchase Order_Pdf.exe, 00000000.00000003.249663880.0000000008315000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.fontbureau.comPurchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.galapagosdesign.com/Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://DynDns.comDynDNSPurchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comFPurchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cno.-3pPurchase Order_Pdf.exe, 00000000.00000003.249481844.0000000008313000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://www.fontbureau.com/designersT:-Purchase Order_Pdf.exe, 00000000.00000003.255018578.0000000008309000.00000004.00000001.sdmpfalse
                                            high
                                            http://cps.letsencrypt.org0Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers5:Purchase Order_Pdf.exe, 00000000.00000003.253923636.0000000008304000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.tiro.comz-mpPurchase Order_Pdf.exe, 00000000.00000003.249322008.0000000008312000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://ocsp.int-x3.letsencrypt.org0/Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/jp/nPurchase Order_Pdf.exe, 00000000.00000003.252875664.0000000008309000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.urwpp.deFPurchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://mail.impressindia.netPurchase Order_Pdf.exe, 00000000.00000002.618273971.0000000003123000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/jp/Purchase Order_Pdf.exe, 00000000.00000003.252386933.0000000008309000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.comdPurchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.carterandcone.comlPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.galapagosdesign.com/KPurchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.urwpp.deBPurchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.jiyu-kobo.co.jp/_$Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.founder.com.cn/cnPurchase Order_Pdf.exe, 00000000.00000003.249308151.0000000008314000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.jiyu-kobo.co.jp/:$Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.comtPurchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://cert.int-x3Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.jiyu-kobo.co.jp/Purchase Order_Pdf.exe, 00000000.00000003.252076847.0000000008309000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers8Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.comituPurchase Order_Pdf.exe, 00000000.00000003.254353271.0000000008308000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.comalicPurchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.comtop/Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.urwpp.deltPurchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    192.232.223.161
                                                    unknownUnited States
                                                    46606UNIFIEDLAYER-AS-1UStrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                    Analysis ID:339377
                                                    Start date:13.01.2021
                                                    Start time:21:55:38
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 7m 49s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:Purchase Order_Pdf.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:31
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@4/3@2/1
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 2.7% (good quality ratio 1.1%)
                                                    • Quality average: 26.7%
                                                    • Quality standard deviation: 35.1%
                                                    HCA Information:
                                                    • Successful, ratio: 90%
                                                    • Number of executed functions: 42
                                                    • Number of non-executed functions: 14
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 52.147.198.201, 40.88.32.150, 23.210.248.85, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.142.210, 51.103.5.186, 52.155.217.156, 20.54.26.129
                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339377/sample/Purchase Order_Pdf.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    21:56:43API Interceptor1029x Sleep call for process: Purchase Order_Pdf.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    192.232.223.161Long overdue statement of account_pdf.exeGet hashmaliciousBrowse
                                                      October Order confirmation _00999345678.exeGet hashmaliciousBrowse
                                                        Invoice_confirmation pdf.exeGet hashmaliciousBrowse
                                                          Quotation_pdf.exeGet hashmaliciousBrowse
                                                            Bank details_00998674453.exeGet hashmaliciousBrowse
                                                              h1Bc2dH3KSA6c5Y.exeGet hashmaliciousBrowse
                                                                aSBt2BqOTg2Vimg.exeGet hashmaliciousBrowse
                                                                  SCAN_191915157.exeGet hashmaliciousBrowse
                                                                    2HMMPZq2DMEyqQI.exeGet hashmaliciousBrowse
                                                                      RFQ_777151519.exeGet hashmaliciousBrowse
                                                                        FASM-Q-006420.exeGet hashmaliciousBrowse
                                                                          1UOc3IlymBO3Zh8.exeGet hashmaliciousBrowse
                                                                            WNEzyyS8Ix22ok3.exeGet hashmaliciousBrowse
                                                                              YQeDa6uzdy4Y2VX.exeGet hashmaliciousBrowse
                                                                                of-az1.exeGet hashmaliciousBrowse
                                                                                  PI_CRG 9E78.exeGet hashmaliciousBrowse
                                                                                    invoice.exeGet hashmaliciousBrowse
                                                                                      uM7P1r5W6NqH1Of.exeGet hashmaliciousBrowse
                                                                                        CbV2kvzll2F6CWy.exeGet hashmaliciousBrowse
                                                                                          Invoice_1008.exeGet hashmaliciousBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                            ASN

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            UNIFIEDLAYER-AS-1USJdtN8nIcLi8RQOi.exeGet hashmaliciousBrowse
                                                                                            • 192.185.0.218
                                                                                            message 222992.docGet hashmaliciousBrowse
                                                                                            • 50.116.93.238
                                                                                            20210111 Virginie.exeGet hashmaliciousBrowse
                                                                                            • 50.87.253.47
                                                                                            FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                                                                            • 74.220.199.6
                                                                                            pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                                            • 50.87.170.37
                                                                                            NKP210102-NIT-SC2.exeGet hashmaliciousBrowse
                                                                                            • 192.185.112.184
                                                                                            quotation.exeGet hashmaliciousBrowse
                                                                                            • 192.185.121.114
                                                                                            Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                                                                            • 108.179.242.70
                                                                                            COMFAM INVOICE.htmGet hashmaliciousBrowse
                                                                                            • 162.241.243.101
                                                                                            yaQjVEGNEb.exeGet hashmaliciousBrowse
                                                                                            • 50.87.253.239
                                                                                            Purchase Order -263.exeGet hashmaliciousBrowse
                                                                                            • 162.144.235.96
                                                                                            0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                                                            • 162.241.60.214
                                                                                            REQUEST FOR QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                            • 108.179.194.68
                                                                                            Q52msELKeI.exeGet hashmaliciousBrowse
                                                                                            • 50.116.112.232
                                                                                            sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                            • 74.220.219.210
                                                                                            SEA LION LOGISTICS-URGENT QUOTATION.exeGet hashmaliciousBrowse
                                                                                            • 192.185.0.218
                                                                                            Electronic form.docGet hashmaliciousBrowse
                                                                                            • 50.116.111.59
                                                                                            8wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                            • 50.116.111.59
                                                                                            ARCH_2021.docGet hashmaliciousBrowse
                                                                                            • 162.241.153.163
                                                                                            PO21010699XYJ.exeGet hashmaliciousBrowse
                                                                                            • 216.172.185.10

                                                                                            JA3 Fingerprints

                                                                                            No context

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp
                                                                                            Process:C:\Users\user\Desktop\Purchase Order_Pdf.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1658
                                                                                            Entropy (8bit):5.169176016857226
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBQtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3U
                                                                                            MD5:5D0EA5A7DD09C75D615B75DA28611194
                                                                                            SHA1:3A4E36A52D51D274FA485B6098C574744F500157
                                                                                            SHA-256:3993CB7BE1DDB58AAC837D7BD733E8B772794FCB0E1C330356D49A5160BC4428
                                                                                            SHA-512:106228BBF3E25DEF9DDBE4C0B3C239DEEAB6B1A1B75B7E215FB5F773685C94A6D4F35D0BE1D1AB5EA8CD2C035BF4E9DE5B0D9A566D238D302B3399D1A3697CD0
                                                                                            Malicious:true
                                                                                            Reputation:low
                                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                                            C:\Users\user\AppData\Roaming\gspeFYive.exe
                                                                                            Process:C:\Users\user\Desktop\Purchase Order_Pdf.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1156096
                                                                                            Entropy (8bit):7.349226178998309
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:2hKVYTkh86wM31EqZWXKKKi81Uox1O4/BjdnU:2hKtlE6W6KKi8ioHO4/s
                                                                                            MD5:24AB440BA14AF239092DC2F4C04A4AED
                                                                                            SHA1:4F060FB538C3F5FBA0B7E8E95BFC5C3F620EA190
                                                                                            SHA-256:C213685D3005FBAC05B0CD6B11A077F57CC4D50FCB762C7CAB8A81AE7DEC2043
                                                                                            SHA-512:2D3BA4CED486D9DE70598F9934E20951FE7E4E056D8F50A9ED4C6F947E169885EFE9F7C9B24D2DCFF345BA0B7B33CA47EE11DEFDADE776DD22514ABA22D8A10B
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 36%
                                                                                            Reputation:low
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.._..............0..............#... ...@....@.. ....................................@.................................|#..O....@..`............................................................................ ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc..............................@..B.................#......H.......X...$..........................................................k...E'..a..4...Fq.S.......b..`7...d....L ~.+D..Ba.L..5.)b....ZiG.....r9.d....z.[Q..0.\C7(Wn...cR.e'......8.fEd...F1... ]..{u.._s.\Ys.....x!S....1...)..v....e...xR6G7.[.9.1......g.'.}.nI.r`e.........P.@...Q._K...I....Tj....9S} .....E.{}..(..M...)..*.Q.b..%..n>.....f.=.3.[>.....~.L..0.........kh..lk'N.....v..<.....+.,G.2..xs.fe..RQt.E...o]...k.I............9.3O,Y...0`.Qru.Z.P..:.% .\.5.c.
                                                                                            C:\Users\user\AppData\Roaming\t12j2i30.rxs\Chrome\Default\Cookies
                                                                                            Process:C:\Users\user\Desktop\Purchase Order_Pdf.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                            Category:dropped
                                                                                            Size (bytes):20480
                                                                                            Entropy (8bit):0.6969296358976265
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                                                            MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                                                            SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                                                            SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                                                            SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):7.349226178998309
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                            File name:Purchase Order_Pdf.exe
                                                                                            File size:1156096
                                                                                            MD5:24ab440ba14af239092dc2f4c04a4aed
                                                                                            SHA1:4f060fb538c3f5fba0b7e8e95bfc5c3f620ea190
                                                                                            SHA256:c213685d3005fbac05b0cd6b11a077f57cc4d50fcb762c7cab8a81ae7dec2043
                                                                                            SHA512:2d3ba4ced486d9de70598f9934e20951fe7e4e056d8f50a9ed4c6f947e169885efe9f7c9b24d2dcff345ba0b7b33ca47ee11defdade776dd22514aba22d8a10b
                                                                                            SSDEEP:24576:2hKVYTkh86wM31EqZWXKKKi81Uox1O4/BjdnU:2hKtlE6W6KKi8ioHO4/s
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.._..............0..............#... ...@....@.. ....................................@................................

                                                                                            File Icon

                                                                                            Icon Hash:0000000000000000

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x5123ce
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                            Time Stamp:0x5FFEC647 [Wed Jan 13 10:07:03 2021 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x11237c0x4f.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1140000x9b60.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x1103d40x110400False0.766256313131data7.47999071167IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x1140000x9b600x9c00False0.0511318108974data0.943558488495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x11e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_ICON0x1141300x94a8data
                                                                                            RT_GROUP_ICON0x11d5d80x14data
                                                                                            RT_VERSION0x11d5ec0x388data
                                                                                            RT_MANIFEST0x11d9740x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Version Infos

                                                                                            DescriptionData
                                                                                            Translation0x0000 0x04b0
                                                                                            LegalCopyrightCopyright Overwolf 2011 - 2020
                                                                                            Assembly Version2.159.0.0
                                                                                            InternalName.exe
                                                                                            FileVersion2.159.0.0
                                                                                            CompanyNameOverwolf Ltd.
                                                                                            LegalTrademarks
                                                                                            CommentsOverwolf Launcher
                                                                                            ProductNameOverwolfLauncher
                                                                                            ProductVersion2.159.0.0
                                                                                            FileDescriptionOverwolfLauncher
                                                                                            OriginalFilename.exe

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 13, 2021 21:58:21.322211981 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:21.499315023 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:21.499434948 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.124313116 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.126264095 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.305378914 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.307450056 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.490365982 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.528573990 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.722615004 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.722641945 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.722657919 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.722793102 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.730329037 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.908550024 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:22.952666044 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:22.963437080 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:23.141809940 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:23.143624067 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:23.322933912 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:23.324584961 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:23.543452978 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:23.547367096 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:23.548557997 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:23.725780964 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:23.726326942 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:23.936135054 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:23.936666965 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:24.114540100 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.117417097 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:24.117449045 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:24.118386030 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:24.118405104 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:24.294449091 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.294843912 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.295243025 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.295268059 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.295722008 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.343414068 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.019172907 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.198066950 CET58749752192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:25.198276997 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.208103895 CET49752587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.208877087 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.388391972 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:25.388552904 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.711385965 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:25.711759090 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:25.892165899 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:25.892462969 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:26.078962088 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.079407930 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:26.280422926 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.280453920 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.280472040 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.280530930 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:26.284682035 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:26.463880062 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.465822935 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:26.653400898 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.654957056 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:26.843375921 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:26.844296932 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.039108038 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.040961027 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.224366903 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.225251913 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.430967093 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.431785107 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.610451937 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.612467051 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.613121986 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.613254070 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.613506079 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.613918066 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.614365101 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.614375114 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.614617109 CET49754587192.168.2.7192.232.223.161
                                                                                            Jan 13, 2021 21:58:27.809431076 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809454918 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809465885 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809478045 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809489965 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809499979 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809510946 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809521914 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.809539080 CET58749754192.232.223.161192.168.2.7
                                                                                            Jan 13, 2021 21:58:27.859483957 CET49754587192.168.2.7192.232.223.161

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 13, 2021 21:56:27.807234049 CET5976253192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:27.854935884 CET53597628.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:28.683409929 CET5432953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:28.731363058 CET53543298.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:29.491784096 CET5805253192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:29.555274010 CET53580528.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:30.347202063 CET5400853192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:30.395040035 CET53540088.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:31.519989014 CET5945153192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:31.568135023 CET53594518.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:32.844080925 CET5291453192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:32.900326014 CET53529148.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:33.718538046 CET6456953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:33.769412041 CET53645698.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:35.042583942 CET5281653192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:35.090622902 CET53528168.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:36.427578926 CET5078153192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:36.483946085 CET53507818.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:37.913880110 CET5423053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:37.961796999 CET53542308.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:38.761687994 CET5491153192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:38.812303066 CET53549118.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:40.122034073 CET4995853192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:40.170057058 CET53499588.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:40.985213995 CET5086053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:41.033047915 CET53508608.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:42.142440081 CET5045253192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:42.193011999 CET53504528.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:44.364391088 CET5973053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:44.415065050 CET53597308.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:44.686068058 CET5931053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:44.769263029 CET53593108.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:45.689728022 CET5191953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:45.740391970 CET53519198.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:56:57.514858961 CET6429653192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:56:57.565558910 CET53642968.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:00.386543036 CET5668053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:00.444370031 CET53566808.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:16.780972958 CET5882053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:16.841871977 CET53588208.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:17.710433006 CET6098353192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:17.776699066 CET53609838.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:19.924963951 CET4924753192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:19.972986937 CET53492478.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:23.522506952 CET5228653192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:23.579838991 CET53522868.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:27.275131941 CET5606453192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:27.335627079 CET53560648.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:44.903414965 CET6374453192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:44.981543064 CET53637448.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:45.716463089 CET6145753192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:45.767354965 CET53614578.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:46.346462965 CET5836753192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:46.403110981 CET53583678.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:46.940690041 CET6059953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:47.017616034 CET53605998.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:47.389615059 CET5957153192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:47.440344095 CET5268953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:47.462502956 CET53595718.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:47.496854067 CET53526898.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:48.032812119 CET5029053192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:48.091221094 CET53502908.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:48.644248962 CET6042753192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:48.700783014 CET53604278.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:49.517862082 CET5620953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:49.577251911 CET53562098.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:50.428700924 CET5958253192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:50.476654053 CET53595828.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:57:50.924586058 CET6094953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:57:50.980868101 CET53609498.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:58:20.892354965 CET5854253192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:58:21.084769011 CET53585428.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:58:21.100749016 CET5917953192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:58:21.292725086 CET53591798.8.8.8192.168.2.7
                                                                                            Jan 13, 2021 21:58:24.528209925 CET6092753192.168.2.78.8.8.8
                                                                                            Jan 13, 2021 21:58:24.579427958 CET53609278.8.8.8192.168.2.7

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                            Jan 13, 2021 21:58:20.892354965 CET192.168.2.78.8.8.80xf5beStandard query (0)mail.impressindia.netA (IP address)IN (0x0001)
                                                                                            Jan 13, 2021 21:58:21.100749016 CET192.168.2.78.8.8.80xdbc8Standard query (0)mail.impressindia.netA (IP address)IN (0x0001)

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                            Jan 13, 2021 21:58:21.084769011 CET8.8.8.8192.168.2.70xf5beNo error (0)mail.impressindia.netimpressindia.netCNAME (Canonical name)IN (0x0001)
                                                                                            Jan 13, 2021 21:58:21.084769011 CET8.8.8.8192.168.2.70xf5beNo error (0)impressindia.net192.232.223.161A (IP address)IN (0x0001)
                                                                                            Jan 13, 2021 21:58:21.292725086 CET8.8.8.8192.168.2.70xdbc8No error (0)mail.impressindia.netimpressindia.netCNAME (Canonical name)IN (0x0001)
                                                                                            Jan 13, 2021 21:58:21.292725086 CET8.8.8.8192.168.2.70xdbc8No error (0)impressindia.net192.232.223.161A (IP address)IN (0x0001)

                                                                                            SMTP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                            Jan 13, 2021 21:58:22.124313116 CET58749752192.232.223.161192.168.2.7220-gator3040.hostgator.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 14:58:22 -0600
                                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                                            220 and/or bulk e-mail.
                                                                                            Jan 13, 2021 21:58:22.126264095 CET49752587192.168.2.7192.232.223.161EHLO 302494
                                                                                            Jan 13, 2021 21:58:22.305378914 CET58749752192.232.223.161192.168.2.7250-gator3040.hostgator.com Hello 302494 [84.17.52.74]
                                                                                            250-SIZE 52428800
                                                                                            250-8BITMIME
                                                                                            250-PIPELINING
                                                                                            250-AUTH PLAIN LOGIN
                                                                                            250-STARTTLS
                                                                                            250 HELP
                                                                                            Jan 13, 2021 21:58:22.307450056 CET49752587192.168.2.7192.232.223.161STARTTLS
                                                                                            Jan 13, 2021 21:58:22.490365982 CET58749752192.232.223.161192.168.2.7220 TLS go ahead
                                                                                            Jan 13, 2021 21:58:25.711385965 CET58749754192.232.223.161192.168.2.7220-gator3040.hostgator.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 14:58:25 -0600
                                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                                            220 and/or bulk e-mail.
                                                                                            Jan 13, 2021 21:58:25.711759090 CET49754587192.168.2.7192.232.223.161EHLO 302494
                                                                                            Jan 13, 2021 21:58:25.892165899 CET58749754192.232.223.161192.168.2.7250-gator3040.hostgator.com Hello 302494 [84.17.52.74]
                                                                                            250-SIZE 52428800
                                                                                            250-8BITMIME
                                                                                            250-PIPELINING
                                                                                            250-AUTH PLAIN LOGIN
                                                                                            250-STARTTLS
                                                                                            250 HELP
                                                                                            Jan 13, 2021 21:58:25.892462969 CET49754587192.168.2.7192.232.223.161STARTTLS
                                                                                            Jan 13, 2021 21:58:26.078962088 CET58749754192.232.223.161192.168.2.7220 TLS go ahead

                                                                                            Code Manipulations

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Start time:21:56:34
                                                                                            Start date:13/01/2021
                                                                                            Path:C:\Users\user\Desktop\Purchase Order_Pdf.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:'C:\Users\user\Desktop\Purchase Order_Pdf.exe'
                                                                                            Imagebase:0x8f0000
                                                                                            File size:1156096 bytes
                                                                                            MD5 hash:24AB440BA14AF239092DC2F4C04A4AED
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.618083495.000000000308F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.616957366.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.618858584.0000000004804000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            General

                                                                                            Start time:21:56:47
                                                                                            Start date:13/01/2021
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'
                                                                                            Imagebase:0x11f0000
                                                                                            File size:185856 bytes
                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Start time:21:56:47
                                                                                            Start date:13/01/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff774ee0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: /$@>
                                                                                              • API String ID: 0-3582842426
                                                                                              • Opcode ID: 605cc7cdb56348bab4b584b46cf35bf83b3ceb3c92b85951913ca619508caff6
                                                                                              • Instruction ID: db5c220910dd3ac046446092e1ce5581599567768583dc88225bab0fbdb9c536
                                                                                              • Opcode Fuzzy Hash: 605cc7cdb56348bab4b584b46cf35bf83b3ceb3c92b85951913ca619508caff6
                                                                                              • Instruction Fuzzy Hash: 7C723435E047188FCB24EB78C8556DDB7B1AF89300F1485AAD54AAB761EF30AD85CF81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: XcBl$XcBl
                                                                                              • API String ID: 0-728178925
                                                                                              • Opcode ID: 846d999f8a0ab9d28bb2acefd08b8e23088cd1b4e6ed531846ae88a0d5f96874
                                                                                              • Instruction ID: f98b35b884e516cd007bad92940d78e3ff1dca01c0d65ac7f907e70b670d0a70
                                                                                              • Opcode Fuzzy Hash: 846d999f8a0ab9d28bb2acefd08b8e23088cd1b4e6ed531846ae88a0d5f96874
                                                                                              • Instruction Fuzzy Hash: B862DD31F002189FDB54EBA5C854BAEBBF6AF89310F15846AE505EF291DB34EC05CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 37817df8e3f7e55fb7c5c8e96af2859edae73c632f06e9f245e8ea298b1d21c4
                                                                                              • Instruction ID: 535afee35465990d179b35151667fa7c6b2ee0169b872415488dad479224d05d
                                                                                              • Opcode Fuzzy Hash: 37817df8e3f7e55fb7c5c8e96af2859edae73c632f06e9f245e8ea298b1d21c4
                                                                                              • Instruction Fuzzy Hash: F052BB30B002149FDB14EBB5C8557AEB7E6AFC9354F148529E50AEB394DF399C02CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 248218e95184c772a902be5af924079112d0a4570b969f28b07828070e395965
                                                                                              • Instruction ID: 4d97b0e91244323bcf619618cef69ecc97f460db97f709195aca0457db779d30
                                                                                              • Opcode Fuzzy Hash: 248218e95184c772a902be5af924079112d0a4570b969f28b07828070e395965
                                                                                              • Instruction Fuzzy Hash: 7C719930A042089FDB14EBB6D859BEEBBF6AF84304F108429E505EB394DBB99C45DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 70e49afe1a7ece1b5e23664c78dd7c26add960c2050249f2f5fcfeec8318395e
                                                                                              • Instruction ID: 053ad4f35317b0aae375a2296b0a83c541e46878c28d83300d8309c4170db617
                                                                                              • Opcode Fuzzy Hash: 70e49afe1a7ece1b5e23664c78dd7c26add960c2050249f2f5fcfeec8318395e
                                                                                              • Instruction Fuzzy Hash: CAD1AE71B002098FCB14DFA9C894AEEBBF6AF88314F15852AD545EB351EB74EC05CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4bf18d64865e2edee6f01223a6891a0bebe0879ee9216c599960e6a5cf1fa877
                                                                                              • Instruction ID: 8be37d5d267226974e2131fc8bf673cf9f84cef1fdb7d3fc28972302b2d2280e
                                                                                              • Opcode Fuzzy Hash: 4bf18d64865e2edee6f01223a6891a0bebe0879ee9216c599960e6a5cf1fa877
                                                                                              • Instruction Fuzzy Hash: 73D15E74D0428ADFCB04CF96C9A48AEFBB2FF89304F14D559D516AB214D734AA82CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f00e29f35bc6fed06e1c804cdbfeabcd75f58a539e279296d0a6bcf75da28387
                                                                                              • Instruction ID: d839422d63699910052ffe22a38687a168c30b2c31b12eb7d7664d3aef60adf5
                                                                                              • Opcode Fuzzy Hash: f00e29f35bc6fed06e1c804cdbfeabcd75f58a539e279296d0a6bcf75da28387
                                                                                              • Instruction Fuzzy Hash: 89D15D74D0428ACFCB44CF96C9A48AEFBB2FF89304B14D599D516AB214D734DA82CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7737c13c1f13da8a68fa246fdee1cc6d94d62662bd5571d6130fcd60b9131834
                                                                                              • Instruction ID: f7f9125189a9fb644cfd8ac82f49916f6f711c53edc6714300fb151021417a56
                                                                                              • Opcode Fuzzy Hash: 7737c13c1f13da8a68fa246fdee1cc6d94d62662bd5571d6130fcd60b9131834
                                                                                              • Instruction Fuzzy Hash: DE910474E002198FCB08CFAAC9916DEFBB2AF89310F14902AD519BB264D7749942CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2fe0db3a47e31f9e455a216f154f927b87d0d42c1595f93953d8ac4906acd0a5
                                                                                              • Instruction ID: 6f9b2483e9e1955cb6a706c59a8aefb7fa45b605b7611b0df13b4f0939693b6d
                                                                                              • Opcode Fuzzy Hash: 2fe0db3a47e31f9e455a216f154f927b87d0d42c1595f93953d8ac4906acd0a5
                                                                                              • Instruction Fuzzy Hash: 8A91F374E006198FCB08CFEAC991ADEFBB2BF89300F14902AD519BB264D7709942CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7a4e7862e644f1e60dc45013345fc208f28053e3e23a952b13d7af6f7a3b63b2
                                                                                              • Instruction ID: 3e127179220b91f63aeb0de3389ab1273f0b67fcbc2c881807ca9c6baa648eaa
                                                                                              • Opcode Fuzzy Hash: 7a4e7862e644f1e60dc45013345fc208f28053e3e23a952b13d7af6f7a3b63b2
                                                                                              • Instruction Fuzzy Hash: CF515E70E0421A8FDB08CFAAC9506AEFBF2FF88304F18D16AD519A7254D7749A41CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d0d6224e5edffce0fb6489c3e6bb9412a8ce007aa0b7eeb5955560376d19530d
                                                                                              • Instruction ID: c4e315ea659dcc36b692e492a97e3216deb2d5606b202bbc5154bb633e7b3769
                                                                                              • Opcode Fuzzy Hash: d0d6224e5edffce0fb6489c3e6bb9412a8ce007aa0b7eeb5955560376d19530d
                                                                                              • Instruction Fuzzy Hash: 96312A71E016588BDB19CFA6D8442DEBBF3AFC9314F14C07AD809A7258DB301A46CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 06910fc748c3ceb149e465fe330d905d88b8b1cf9bdf728d5564be84355bf7b2
                                                                                              • Instruction ID: 75d77444150efc13dc4b5e184e1bcd5d4b30a36e28ceaacae9a95e42cd29f00a
                                                                                              • Opcode Fuzzy Hash: 06910fc748c3ceb149e465fe330d905d88b8b1cf9bdf728d5564be84355bf7b2
                                                                                              • Instruction Fuzzy Hash: 38210A71E056188BEB58CFABDC4069EFBF3AFC9204F04C5BAC508A6228DB3019568F51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2da0bc63c53b9df9cc45831cfe2afe0a1e8a5775a3e852d95d7e11db67287085
                                                                                              • Instruction ID: 1ab8ff1e29fcda0337e076ede6029dc976695fdde92b01a2baa19265e53f6ceb
                                                                                              • Opcode Fuzzy Hash: 2da0bc63c53b9df9cc45831cfe2afe0a1e8a5775a3e852d95d7e11db67287085
                                                                                              • Instruction Fuzzy Hash: D111C136D05288DFCB05CFA9D9104DEFFB1EF8A220F04426BEA00F7260E6345919CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID: \$\$\
                                                                                              • API String ID: 1813601361-3791832595
                                                                                              • Opcode ID: f4436acc81eaa16856992773ff2a252cee47203391e972100005fad7c9f775a4
                                                                                              • Instruction ID: 4a9690727d02c3359946f3b3567e62ff141d09230bdab2b161060580ef8b1d2a
                                                                                              • Opcode Fuzzy Hash: f4436acc81eaa16856992773ff2a252cee47203391e972100005fad7c9f775a4
                                                                                              • Instruction Fuzzy Hash: 5171C471B002148BCB24DB79D4547EE77F2ABC8724F14D529D85AEB380EB38DC459B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: _
                                                                                              • API String ID: 0-3323537971
                                                                                              • Opcode ID: 23e9f176a9acfac107fe4bfdb9ad287020558cadf7be01a857a6d85c049e8844
                                                                                              • Instruction ID: 95683520e11e73ff00f10fed4ac84f38346e470ba3ceb4f14c3fe90f6da9c37e
                                                                                              • Opcode Fuzzy Hash: 23e9f176a9acfac107fe4bfdb9ad287020558cadf7be01a857a6d85c049e8844
                                                                                              • Instruction Fuzzy Hash: D142F030B042048FDB14EB75C819BAEBBF2AF85324F14856AD515DB3A1EB35DC46CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: b6486f2106aa4328acdf5baac5c2cb379e4c6133694a9e23ea80182d02042d1a
                                                                                              • Instruction ID: 611fc003d3eae1b0dae1906ad77ee02fa40a643c26be362ac0a53984b66255d7
                                                                                              • Opcode Fuzzy Hash: b6486f2106aa4328acdf5baac5c2cb379e4c6133694a9e23ea80182d02042d1a
                                                                                              • Instruction Fuzzy Hash: CB21E230F042598FCB01EB79D845AEE7BF1AF89310B14806AE149EB391EB38DC05CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: a83c01debd326bfc90250fa639e222ec087a7368a0681c06255dbeebe0b6f927
                                                                                              • Instruction ID: 6077361d0a84b0e8c5fd34889143817b325b99adb8fa7bed3f2ca508086b240a
                                                                                              • Opcode Fuzzy Hash: a83c01debd326bfc90250fa639e222ec087a7368a0681c06255dbeebe0b6f927
                                                                                              • Instruction Fuzzy Hash: C421CF31F043588FCB40EB79D845AEE7BF1AB89310B14D46AE149E7351EB389C068B51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: 0b439a688afd1acb96a6d7e816369405e5d1dee8d117f20c72dc57cd2cbcf3c6
                                                                                              • Instruction ID: 2b0fcb4ce0f27a7808dc398e5844ba73b8d683ff011f568bbf0bcb26c7e4d54e
                                                                                              • Opcode Fuzzy Hash: 0b439a688afd1acb96a6d7e816369405e5d1dee8d117f20c72dc57cd2cbcf3c6
                                                                                              • Instruction Fuzzy Hash: 53112135F002298F8B40EB7CE845ADEB7F5FB8D210B549429E559F7391EB389D018B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: 08d7be1492c3b0863bd6bdcb856cf18c35f489b2fd972d32ea976e1c3ff0084a
                                                                                              • Instruction ID: 6e93e077945d6734f59ba1129de0d794a28e05f6d6359f8b067c49c35e301f44
                                                                                              • Opcode Fuzzy Hash: 08d7be1492c3b0863bd6bdcb856cf18c35f489b2fd972d32ea976e1c3ff0084a
                                                                                              • Instruction Fuzzy Hash: DC112135F002298F8B40EBB8D4459DEB7F5FB8D310B54942AE55AF7351EB34AD028B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: c0692789f41ad1c4c890e66f5519f351787c5077547b8cda0f96fd5c263e385a
                                                                                              • Instruction ID: 7c0bb13e16f607e19373731fe6905bb6154d9b0bee72ace5e2f16d18cf7b4d0c
                                                                                              • Opcode Fuzzy Hash: c0692789f41ad1c4c890e66f5519f351787c5077547b8cda0f96fd5c263e385a
                                                                                              • Instruction Fuzzy Hash: 8951B131B042059FCB04ABB4C855AEEB7F6AF85304B14866AE642AF395EF74EC05CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9a50eb940d5a5750a97c02dbc201e09bf5fbc842a34a658c2cc131ff3d72acc5
                                                                                              • Instruction ID: 908a4916905e88e38404d4e277307642731c4b994dec2ca85623dbd5b2f4184e
                                                                                              • Opcode Fuzzy Hash: 9a50eb940d5a5750a97c02dbc201e09bf5fbc842a34a658c2cc131ff3d72acc5
                                                                                              • Instruction Fuzzy Hash: CA51DAB5E043898FCB14CFA9D8446EEFBF1AF89310F14816AEA44B7251DB389845CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,?,?,?,?,?), ref: 00FBE1FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: fb8f136f90ed59935dc4ee241f8aa6dfccc706ebb071ad7aaae11c63d6387e7d
                                                                                              • Instruction ID: dc09a0d93a09db16b587617f4a92200ff4783b82446067777378719e5c561df1
                                                                                              • Opcode Fuzzy Hash: fb8f136f90ed59935dc4ee241f8aa6dfccc706ebb071ad7aaae11c63d6387e7d
                                                                                              • Instruction Fuzzy Hash: 885196B4D002189FDB20CFAAD884ADEFBF1BB49304F24906AE818BB251D7749985DF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02CAD681
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: 4e6584dcc56c702ce8e5598a9198fde275cb3ae23103ecda9657788ae9334c9f
                                                                                              • Instruction ID: dd3afe546e9ff45c01d435da5e65ce75a7c6b13c3911515c23ee5a8bc30cbc26
                                                                                              • Opcode Fuzzy Hash: 4e6584dcc56c702ce8e5598a9198fde275cb3ae23103ecda9657788ae9334c9f
                                                                                              • Instruction Fuzzy Hash: 1E51F571D0421C9FDB24CFA4C884BDEBBB5AF45308F1180A9D509BB210DB716E89CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 02CA7F37
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ProtectVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 544645111-0
                                                                                              • Opcode ID: b8a099aa796fe4ad74563fae5b0c22a357a13f4d7b038b97e2d5d588ee0cab67
                                                                                              • Instruction ID: 93d3a4bdc78e24f45f8dadf82c9ae9366d5252e8b61ce083bafaf0ee55dd1e4f
                                                                                              • Opcode Fuzzy Hash: b8a099aa796fe4ad74563fae5b0c22a357a13f4d7b038b97e2d5d588ee0cab67
                                                                                              • Instruction Fuzzy Hash: A331ACB9D042589FCB10CFA9D884AEEFBF1BB59314F14901AE814B7210D335AA49CF64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 02CA7F37
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ProtectVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 544645111-0
                                                                                              • Opcode ID: 0b71e9955f171d2b2e667cd00571dd9266f0e1508d35c350ab0a01de3ee6ab60
                                                                                              • Instruction ID: 0755b4e89fcda7d65d89789824b5e69a8e23cd4818fef6ac65ec0a2d0102084e
                                                                                              • Opcode Fuzzy Hash: 0b71e9955f171d2b2e667cd00571dd9266f0e1508d35c350ab0a01de3ee6ab60
                                                                                              • Instruction Fuzzy Hash: A03199B9D042589FCF10CFA9D884ADEFBF0BB49314F14902AE814B7210D735AA49CF64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e1a95d4d402f926a996e3d456cac8c62c91130916dc07bb2e7748c02d1647f1b
                                                                                              • Instruction ID: ff5e3470f4a0aaeb7f81c49240f6cda7c3d08650f90fca85ad4fe5ffa74233a8
                                                                                              • Opcode Fuzzy Hash: e1a95d4d402f926a996e3d456cac8c62c91130916dc07bb2e7748c02d1647f1b
                                                                                              • Instruction Fuzzy Hash: FD31EEB4D103098FCB14CFA9D585ADEFBF0BB48718F10891AE655B3210C779A8458F54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 012C0592
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: 49dd0868e0789e72fa9b90bda33446543f3063a9f9f9ccd2edf798d38b80cbdd
                                                                                              • Instruction ID: 7db9e0a91e35df78b5258704c39e39f5007d799a40313890855bdb890f2dc4d2
                                                                                              • Opcode Fuzzy Hash: 49dd0868e0789e72fa9b90bda33446543f3063a9f9f9ccd2edf798d38b80cbdd
                                                                                              • Instruction Fuzzy Hash: 0E31CCB8D04248DFCB10CFAAE484AEEFBF0AB49314F14801AE914B3210D734AA45CF64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 49c5f25d7b05c8d0fd016844d223c54bf1f1d7f8c1acadacc55dd6e51c9c229c
                                                                                              • Instruction ID: 9875f3bfa9c7c0527ac44557f9b7696ea9927fa864133f658018f2130d0ba4a7
                                                                                              • Opcode Fuzzy Hash: 49c5f25d7b05c8d0fd016844d223c54bf1f1d7f8c1acadacc55dd6e51c9c229c
                                                                                              • Instruction Fuzzy Hash: EA31C7B8D112199FCB10CFA9D884ADEFBF4BB49324F10852AE914B7310D335A846CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: d171bf932b480f49d7334dca2cbd0c950ab70f56177040ddb341a93b76a69dfd
                                                                                              • Instruction ID: 0e295c573ecf306374a186c50356b1573769a00a10e379a5fb082e5dd9e7e19f
                                                                                              • Opcode Fuzzy Hash: d171bf932b480f49d7334dca2cbd0c950ab70f56177040ddb341a93b76a69dfd
                                                                                              • Instruction Fuzzy Hash: B53196B8D152189FCB10CFA9D884ADEFBF4BB49224F10852AE914B7300D375A845CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: 0603cdc23cd41174d1be6a1d20de5f4899898df0cad39ced60dde56e77899824
                                                                                              • Instruction ID: 26199dcf419bf098693f04efa7f0658786218a0d864a3ee1a13df2de748a28e4
                                                                                              • Opcode Fuzzy Hash: 0603cdc23cd41174d1be6a1d20de5f4899898df0cad39ced60dde56e77899824
                                                                                              • Instruction Fuzzy Hash: 5F018171F002198FCF80EBB995057DEBBF9EBC9250B14452AD509E7344FA34AD018B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: af3be2c8af7f568c455febf8903b65a3cfcb68a9a7cf52e0cab12cedf70538ed
                                                                                              • Instruction ID: 47800de48e136c0bcffda39a9bae67af2e8dbe6fccf0b3001b313ca328d6f8ac
                                                                                              • Opcode Fuzzy Hash: af3be2c8af7f568c455febf8903b65a3cfcb68a9a7cf52e0cab12cedf70538ed
                                                                                              • Instruction Fuzzy Hash: F6E0ED36B002188B8F04EBB9E4455DDB3E1BB8C315B149066D51AF7391DF389C158B61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: a49aa813205e771d7484d407c0e02cd34842bc26223d4b4416a16f5ffaa1da8f
                                                                                              • Instruction ID: 389210d0240306eff818a6c66b6994b3b63d9a49c8117a66736e35af0915f167
                                                                                              • Opcode Fuzzy Hash: a49aa813205e771d7484d407c0e02cd34842bc26223d4b4416a16f5ffaa1da8f
                                                                                              • Instruction Fuzzy Hash: 3BE0ED35B002188B8F04EBB9D4565DDB3F1BB8C325B049066D51AF7395EF349C158B62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: 695fbcae9f13b0142e95ce5271ed46f2ad28ce5997f9dd1b834138e304489143
                                                                                              • Instruction ID: ddfd40598c310797f71012670a9332098c8f6ae74045b58fec3d9bf0ac8f4dfc
                                                                                              • Opcode Fuzzy Hash: 695fbcae9f13b0142e95ce5271ed46f2ad28ce5997f9dd1b834138e304489143
                                                                                              • Instruction Fuzzy Hash: 75E0ED3AB002188B8F04EBB9E4455DCB3E1BF8C315B54906AD55AF7391DF389C128B61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: TaskmanWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1813601361-0
                                                                                              • Opcode ID: a660f6a753acb439374825bc28a3866fbc1a3f1bc3a70fcba5bf05aebbd8da1f
                                                                                              • Instruction ID: 09bbcab075e5fde069d4614dcee1b32d905800d759c6051a6639d9140270c286
                                                                                              • Opcode Fuzzy Hash: a660f6a753acb439374825bc28a3866fbc1a3f1bc3a70fcba5bf05aebbd8da1f
                                                                                              • Instruction Fuzzy Hash: 8EE0ED35B002188B8F04EBB9E4465DCB3F1BB8C315B0590A6E51AF7391EF389C158B61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613803539.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e782679612146bef3145d6da8850a155369fc253d30837f418d72858629b80de
                                                                                              • Instruction ID: 0151f6baaa1c0ca930328f144efb58a8eb65a1b904cacfc8bbe6cf898ab2aad8
                                                                                              • Opcode Fuzzy Hash: e782679612146bef3145d6da8850a155369fc253d30837f418d72858629b80de
                                                                                              • Instruction Fuzzy Hash: DA2148B1504240DFCB05DF54D8C5B2ABFA5FB88718F24C5ADEA850B607C336E856C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613869024.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f2155146d9615b06fd7991f659ce75cb1d311a2687e5b199b5ecd43e9988fc32
                                                                                              • Instruction ID: 8ca29fa89cb472f0e9671fe1f06edee3caa5142e30b124c99fc07fad086412c4
                                                                                              • Opcode Fuzzy Hash: f2155146d9615b06fd7991f659ce75cb1d311a2687e5b199b5ecd43e9988fc32
                                                                                              • Instruction Fuzzy Hash: A3212875904340DFDF1ADF94E8C0B16BB65FB84354F20C569D94D4B28AC376D847CA62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613869024.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: db98c89467564dd038444e32d397ef3169cbdf18bc7da65d4903b561b0bb8266
                                                                                              • Instruction ID: 74de2447500a582f6b1485c9026bd40b6bad800dee7882c958e2b7cf6c7c4a49
                                                                                              • Opcode Fuzzy Hash: db98c89467564dd038444e32d397ef3169cbdf18bc7da65d4903b561b0bb8266
                                                                                              • Instruction Fuzzy Hash: 63213A71904300DFDF0ADFD4E5C0B25BBA5FB84324F20C56DE9494B282C376D846CA62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613803539.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4efb5fac506cb6d7aa5c0f1d29973593692054ca56fa60a1c7fcf354f01aa4b
                                                                                              • Instruction ID: c87a6f81335da2fa182dbed85c6056fda2cb5e0eec28038039a707b6778594bb
                                                                                              • Opcode Fuzzy Hash: b4efb5fac506cb6d7aa5c0f1d29973593692054ca56fa60a1c7fcf354f01aa4b
                                                                                              • Instruction Fuzzy Hash: BC11AF76504280CFCB16CF54D5C4B16BFB1FB84724F24C6ADD9450BA56C33AD45ACBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613869024.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
                                                                                              • Instruction ID: 2504f90d07d50a65ed803af334be2bfe173a7510bad87b5635dd5130e44e2ed1
                                                                                              • Opcode Fuzzy Hash: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
                                                                                              • Instruction Fuzzy Hash: A711BE75904280CFCB16CF54E5C4B15BBA1FB84324F24C6A9D8094B69AC37AD44ACBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613869024.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
                                                                                              • Instruction ID: 0115d74f557cada41a7a679a513734ba980f58c4403faeb030499254a95ea5fc
                                                                                              • Opcode Fuzzy Hash: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
                                                                                              • Instruction Fuzzy Hash: 9211BB75904280DFCF16CF98E5C0B15BBB1FB84224F28C6A9D8494B696C37AD45ACB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613803539.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 46206a0a9e92bf334ec1b52a64b6102c4688fa41def6cc7a8ad9c48ee366e8b1
                                                                                              • Instruction ID: 04901b11094610e3a169af5e7495da22b1fcfdb7d554a9c10b892bcd3d2bbfc2
                                                                                              • Opcode Fuzzy Hash: 46206a0a9e92bf334ec1b52a64b6102c4688fa41def6cc7a8ad9c48ee366e8b1
                                                                                              • Instruction Fuzzy Hash: 9B0147710083C09AE7504E65CC85B6ABBD8FF41224F08C05EEF445F647E3799840CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613803539.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b181719c56d6816c5d2c6a6db49427396929009681cf3de80b2d5ced07e7ec45
                                                                                              • Instruction ID: 7291ecfc1d0d4df8f9e445bf926f6706022c9045e5c49db674308912d205d7dd
                                                                                              • Opcode Fuzzy Hash: b181719c56d6816c5d2c6a6db49427396929009681cf3de80b2d5ced07e7ec45
                                                                                              • Instruction Fuzzy Hash: 43F0C2714083849EE7518E19CC84B62FFE8EB81634F18C09AEE485F687D3799844CBB0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.613415580.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: D!>l
                                                                                              • API String ID: 0-159124143
                                                                                              • Opcode ID: 6bfa215e2db2f9bfb7e98e5f45853d57e7c2d52daab8cd2c84517d03b98b8462
                                                                                              • Instruction ID: c85a47103f5fe96348717e6da695e6bec1873f922fbbdbba470e3510fc2ee09e
                                                                                              • Opcode Fuzzy Hash: 6bfa215e2db2f9bfb7e98e5f45853d57e7c2d52daab8cd2c84517d03b98b8462
                                                                                              • Instruction Fuzzy Hash: C4131D71D10B198ECB14EF69C854AEDF7B1BF99300F15C69AE549AB211EB30AAC4CF41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.614375976.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7158b41cc5ffdb3ebf817845b273e82c2f21aee3edfdf5316ef42c65a49628fa
                                                                                              • Instruction ID: c0e198158169285c8e2ed6b448bea95417d9fd39df5083658de1627ddbcb7cb9
                                                                                              • Opcode Fuzzy Hash: 7158b41cc5ffdb3ebf817845b273e82c2f21aee3edfdf5316ef42c65a49628fa
                                                                                              • Instruction Fuzzy Hash: 5DF18E30A10209CFDB14DFA9C855BAEBBF2BF48714F15C629E605AB255DBB0E845CF81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bbe6519e7eb3763c091b7936e3b8f4ed3543867dab3a545088a957f921dfc6f4
                                                                                              • Instruction ID: 21bf45c033e3cfcaf16dc5c8c9c83a63732e13a75808f00c47d1f3c713f8fe96
                                                                                              • Opcode Fuzzy Hash: bbe6519e7eb3763c091b7936e3b8f4ed3543867dab3a545088a957f921dfc6f4
                                                                                              • Instruction Fuzzy Hash: E6B14770E1021ACFCB54DFA4D480ADEBBB2FF88314F148629D559AB354DB70A946CF81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3f225f34caf5f387a0f87838eeeac5b1c1fa5bc88c19a04e9445edef95b4ff37
                                                                                              • Instruction ID: e8b8756dbfd001a371803ffac0daf216bf2afaa61ea2963431a4d898f9e1d0bf
                                                                                              • Opcode Fuzzy Hash: 3f225f34caf5f387a0f87838eeeac5b1c1fa5bc88c19a04e9445edef95b4ff37
                                                                                              • Instruction Fuzzy Hash: C06139B0D0524ADFCB28CFAAC9915EEFBB2BF89308F14946AD415A7314D3749642CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 30002e97cf0b541a42b0446da2f0693d1938d1b4ef6b271c270eb7a460213066
                                                                                              • Instruction ID: 89cae4aa1801b2d7a777e5fd7345ff1c84d29bcc5e4d11f5e921e46061a94835
                                                                                              • Opcode Fuzzy Hash: 30002e97cf0b541a42b0446da2f0693d1938d1b4ef6b271c270eb7a460213066
                                                                                              • Instruction Fuzzy Hash: 14610471E0521ACFCB04CFAAC5949DEFBF2BF88254F64D46AD909B7224D3349A41CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7e91714c141b639aab9c8072d2ea65b06a2ee7bd730e99453a7a0f8e12a77952
                                                                                              • Instruction ID: f7b80d3452ea627dad215de4b9d8981b91c3f6c05d9fae009639f799f54799c7
                                                                                              • Opcode Fuzzy Hash: 7e91714c141b639aab9c8072d2ea65b06a2ee7bd730e99453a7a0f8e12a77952
                                                                                              • Instruction Fuzzy Hash: A661F070E0521ACFCB04CFAAC5949DEFBF2FB88254F64D42AD919B7224D3749A01CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7ad1f37c5f616fab534052091595f70e8b06186fb2ec45397d225803d2d98d3c
                                                                                              • Instruction ID: 1d8a9f87dbf4b738c3a64ac91c63c77367ad0c05ef59129c9022966f81b6cba7
                                                                                              • Opcode Fuzzy Hash: 7ad1f37c5f616fab534052091595f70e8b06186fb2ec45397d225803d2d98d3c
                                                                                              • Instruction Fuzzy Hash: F4713774E0160ACFCB18CF9AD5909AEFBB2FF48318F14855AD415AB300C770A942CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 70277ffb58cbb8cca9ee3d6e8c5fbf14dd9c9d4e5d4a5ebcae99031693958139
                                                                                              • Instruction ID: df7f99956cbb180b9cf005d0ebbd72ff20e16640c2fb28a32e45d1647dc522d3
                                                                                              • Opcode Fuzzy Hash: 70277ffb58cbb8cca9ee3d6e8c5fbf14dd9c9d4e5d4a5ebcae99031693958139
                                                                                              • Instruction Fuzzy Hash: F6610674E0564ACFCB18CFAAD590AAEFBB2FF48318F148556D415A7704C374A942CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 778df836ef0a0764c148524ac269b89870b3c7ebc86d039760e339afd75200db
                                                                                              • Instruction ID: 6f5000fd5f837762452571374f05040900bd9d0cd84f3adf6d234a595df938c0
                                                                                              • Opcode Fuzzy Hash: 778df836ef0a0764c148524ac269b89870b3c7ebc86d039760e339afd75200db
                                                                                              • Instruction Fuzzy Hash: 7C5125B0E0560ADFCB08CFAAC5815AEFBB2AB89354F64D46AC405B7314E7349A41CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 30b4a7688c93d38a3a169767a9ec4b0fdbfdc2818520af4231efe3f482faeb29
                                                                                              • Instruction ID: c83f28ab72677721be258c7224d22a00edbee5ebb2e0859f67fe0cc00ba671ad
                                                                                              • Opcode Fuzzy Hash: 30b4a7688c93d38a3a169767a9ec4b0fdbfdc2818520af4231efe3f482faeb29
                                                                                              • Instruction Fuzzy Hash: 795104B0E0660ADFCB08CFAAC5815AEFBB2EB89354F64D56AC405B7314D7349A41CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9d11743042746ee1132fcd71b8514138283112d07f7ad193e42549e9b5d64473
                                                                                              • Instruction ID: add690822c573bf5d68a9839a365096e58266288e2a6bf73a9467acbf3110205
                                                                                              • Opcode Fuzzy Hash: 9d11743042746ee1132fcd71b8514138283112d07f7ad193e42549e9b5d64473
                                                                                              • Instruction Fuzzy Hash: DC417D71E056588FDB18CF6B9D4429EFBF3BFC9204F14C1BA854DAA224DB340A868F11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dac8b8d604d3dbf098c9442a48d83856f149a0f55033f84ba99628a1a4e5bdd7
                                                                                              • Instruction ID: d8264c54944e43d5d39d9f1b0544feeb5d04ead53cdbb527ce9172af0cd25255
                                                                                              • Opcode Fuzzy Hash: dac8b8d604d3dbf098c9442a48d83856f149a0f55033f84ba99628a1a4e5bdd7
                                                                                              • Instruction Fuzzy Hash: DD4114B0E0420A9FCB08CFAAC8915AEFBB2BF89344F64C56AC514A7254E3349641CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.616707755.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52f5f6d1a3a802186608a978f99bcd7609e46fc7ec6f3a0bb0a56d095dfd3a17
                                                                                              • Instruction ID: d9a90f48d95541d9d633604446ecda1bb4be6a7db23eeca6c737515753cfb87c
                                                                                              • Opcode Fuzzy Hash: 52f5f6d1a3a802186608a978f99bcd7609e46fc7ec6f3a0bb0a56d095dfd3a17
                                                                                              • Instruction Fuzzy Hash: C94106B0E0420ADBCB48CFAAC8915AEFBF2BB88344F64C56AC515B7254E7349641CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.625697717.0000000009FA0000.00000040.00000001.sdmp, Offset: 09FA0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a81560b72835040e1222ef9a48dfe7b07656517048fd53eb0fba512adfbec190
                                                                                              • Instruction ID: 0cfe32b88e1fd5374485db6aa5aa5d61e2467fa4ddef9433a5d293cc0eac8bdd
                                                                                              • Opcode Fuzzy Hash: a81560b72835040e1222ef9a48dfe7b07656517048fd53eb0fba512adfbec190
                                                                                              • Instruction Fuzzy Hash: 991114B1E116199BDB18CFAAD94069EFBF7EFC8310F14C16AD508A7214EB305A428B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%