Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase order.exe

Overview

General Information

Sample Name:Purchase order.exe
Analysis ID:358189
MD5:98be4d3bb2053810801fadeb32884acd
SHA1:8919195923883f3842ff78210ab6c6c1e448a10b
SHA256:df61b9c866c5ceb278e173814ddf975b70b5b2e9fcbc5b482326e4163c2e1086
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Yara detected AgentTesla
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Purchase order.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\Purchase order.exe' MD5: 98BE4D3BB2053810801FADEB32884ACD)
    • powershell.exe (PID: 7128 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase order.exe (PID: 5132 cmdline: C:\Users\user\Desktop\Purchase order.exe MD5: 98BE4D3BB2053810801FADEB32884ACD)
    • Purchase order.exe (PID: 2040 cmdline: C:\Users\user\Desktop\Purchase order.exe MD5: 98BE4D3BB2053810801FADEB32884ACD)
  • Drivers.exe (PID: 5988 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: 98BE4D3BB2053810801FADEB32884ACD)
    • powershell.exe (PID: 7032 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Drivers.exe (PID: 4924 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe MD5: 98BE4D3BB2053810801FADEB32884ACD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.Drivers.exe.4b20000.7.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              11.2.Drivers.exe.358f940.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                2.2.Purchase order.exe.42223b8.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.Drivers.exe.4b20000.7.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    2.2.Purchase order.exe.411f940.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeReversingLabs: Detection: 27%
                      Source: 7.2.Purchase order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 17.2.Drivers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Purchase order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses secure TLS version for HTTPS connectionsShow sources
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49748 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Purchase order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: RunPE.pdb source: Purchase order.exe, 00000002.00000002.334237631.00000000030B1000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423002079.0000000002521000.00000004.00000001.sdmp
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Jump to behavior

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: http://Aa8zauZezuE3202C2Z.com
                      Source: Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase order.exe, 00000007.00000002.601672353.000000000375E000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmpString found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                      Source: powershell.exe, 00000003.00000002.390650035.00000000007B6000.00000004.00000020.sdmp, powershell.exe, 0000000F.00000002.538667985.0000000007D80000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                      Source: Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: http://jotaSG.com
                      Source: powershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngHz
                      Source: powershell.exe, 00000003.00000002.392035603.00000000043A1000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531608455.0000000004C11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlHz
                      Source: Purchase order.exe, 00000007.00000002.607485458.0000000006BF0000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.coo.
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/
                      Source: Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocument
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocumentdocument-----
                      Source: Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4)l
                      Source: Purchase order.exe, 00000007.00000002.602072770.000000000379E000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgD8)l
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                      Source: powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterHz
                      Source: powershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49748 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to log keystrokes (.Net Source)Show sources
                      Source: Purchase order.exe, Hook.cs.Net Code: Register
                      Source: 2.0.Purchase order.exe.d20000.0.unpack, Hook.cs.Net Code: Register
                      Source: 2.2.Purchase order.exe.d20000.0.unpack, Hook.cs.Net Code: Register
                      Source: Drivers.exe.3.dr, Hook.cs.Net Code: Register
                      Source: 6.2.Purchase order.exe.1f0000.0.unpack, Hook.cs.Net Code: Register
                      Source: 6.0.Purchase order.exe.1f0000.0.unpack, Hook.cs.Net Code: Register
                      Source: 7.0.Purchase order.exe.f90000.0.unpack, Hook.cs.Net Code: Register
                      Source: 7.2.Purchase order.exe.f90000.1.unpack, Hook.cs.Net Code: Register
                      Source: 11.0.Drivers.exe.10000.0.unpack, Hook.cs.Net Code: Register
                      Source: 11.2.Drivers.exe.10000.0.unpack, Hook.cs.Net Code: Register
                      Source: 17.0.Drivers.exe.800000.0.unpack, Hook.cs.Net Code: Register
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Purchase order.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Purchase order.exeJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.2.Purchase order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3AC7E05Au002dC66Bu002d4157u002d95C4u002d6C91F712DA24u007d/u0030AFDCAC9u002dDE14u002d4130u002dA6F9u002d286CA1BF4D87.csLarge array initialization: .cctor: array initializer size 12028
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase order.exe
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015B6F802_2_015B6F80
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015B58D82_2_015B58D8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015BBC1D2_2_015BBC1D
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015BBC882_2_015BBC88
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D2D507_2_015D2D50
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D1FE27_2_015D1FE2
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D26187_2_015D2618
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015DDAF07_2_015DDAF0
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01728DC87_2_01728DC8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01720CA87_2_01720CA8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_017273507_2_01727350
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01720E9E7_2_01720E9E
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_017293407_2_01729340
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01724B487_2_01724B48
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01722BF07_2_01722BF0
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01725FB87_2_01725FB8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01724AE97_2_01724AE9
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_017391287_2_01739128
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01736D907_2_01736D90
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01735D987_2_01735D98
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173B0E07_2_0173B0E0
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173DC887_2_0173DC88
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01732F787_2_01732F78
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01730E1B7_2_01730E1B
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173F2E67_2_0173F2E6
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_017371C37_2_017371C3
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_017372387_2_01737238
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173CED07_2_0173CED0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 11_2_00B96F8011_2_00B96F80
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 11_2_00B958D811_2_00B958D8
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 11_2_00B9BC8811_2_00B9BC88
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_02B947B217_2_02B947B2
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_02B9482717_2_02B94827
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_02B9D89017_2_02B9D890
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD753817_2_05DD7538
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD94F817_2_05DD94F8
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD692017_2_05DD6920
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD6C6817_2_05DD6C68
                      Source: Purchase order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Drivers.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCaptIt.dll. vs Purchase order.exe
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQDMERNJgHEzTJlNmtyUNxhtBpXZd.exe4 vs Purchase order.exe
                      Source: Purchase order.exe, 00000002.00000000.323630469.0000000000D9E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exe, 00000002.00000002.334237631.00000000030B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Purchase order.exe
                      Source: Purchase order.exe, 00000006.00000000.330564181.000000000026E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.607109858.00000000069E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.593118227.000000000100E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.597084899.00000000018D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.607228994.0000000006A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQDMERNJgHEzTJlNmtyUNxhtBpXZd.exe4 vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.593212130.00000000011A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase order.exe
                      Source: Purchase order.exeBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Drivers.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Purchase order.exe, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.Purchase order.exe.d20000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.Purchase order.exe.d20000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Drivers.exe.3.dr, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.Purchase order.exe.1f0000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.Purchase order.exe.1f0000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@14/13@1/1
                      Source: C:\Users\user\Desktop\Purchase order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3u3tnr4.sav.ps1Jump to behavior
                      Source: Purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase order.exe 'C:\Users\user\Desktop\Purchase order.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Purchase order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Purchase order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: Purchase order.exe, 00000002.00000002.334237631.00000000030B1000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423002079.0000000002521000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.429837387.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D1F32 push es; ret 7_2_015D1F40
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D7A37 push edi; retn 0000h7_2_015D7A39
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED8BE push edi; retf 7_2_018ED856
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED9BE push esi; retf 7_2_018ED956
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018EDA1E push esi; retf 7_2_018ED9B6
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED91C push edi; retf 7_2_018ED8B6
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED97C push edi; retf 7_2_018ED916
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.98094912825
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.98094912825
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.429837387.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Purchase order.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1993Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1233Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeWindow / User API: threadDelayed 1115Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeWindow / User API: threadDelayed 8743Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4319Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2051Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWindow / User API: threadDelayed 947Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWindow / User API: threadDelayed 8892Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 7116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1072Thread sleep count: 1993 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4552Thread sleep count: 1233 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 58 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 5788Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 5792Thread sleep count: 1115 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 5792Thread sleep count: 8743 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 7152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep count: 4319 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep count: 2051 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6032Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 5708Thread sleep count: 947 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 5708Thread sleep count: 8892 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: powershell.exe, 00000003.00000002.392297211.0000000004543000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.513586796.0000000005848000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: powershell.exe, 00000003.00000002.392297211.0000000004543000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.513586796.0000000005848000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01739128 LdrInitializeThunk,7_2_01739128
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Bypasses PowerShell execution policyShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Users\user\Desktop\Purchase order.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Users\user\Desktop\Purchase order.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD516C GetUserNameW,17_2_05DD516C
                      Source: C:\Users\user\Desktop\Purchase order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.412342681.0000000000756000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.324926849.0000000001303000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 4924, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 2040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Drivers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 4924, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 2040, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.412342681.0000000000756000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.324926849.0000000001303000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 4924, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 2040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Drivers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Startup Items1Startup Items1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsPowerShell2Registry Run Keys / Startup Folder12Process Injection12Deobfuscate/Decode Files or Information1Input Capture21File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder12Obfuscated Files or Information2Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSQuery Registry1Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsVirtualization/Sandbox Evasion13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 358189 Sample: Purchase order.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for dropped file 2->34 36 Yara detected AgentTesla 2->36 38 .NET source code contains very large array initializations 2->38 40 7 other signatures 2->40 7 Purchase order.exe 3 2->7         started        9 Drivers.exe 3 2->9         started        process3 process4 11 Purchase order.exe 15 2 7->11         started        15 powershell.exe 15 7->15         started        18 Purchase order.exe 7->18         started        20 powershell.exe 19 9->20         started        22 Drivers.exe 2 9->22         started        dnsIp5 32 api.telegram.org 149.154.167.220, 443, 49748 TELEGRAMRU United Kingdom 11->32 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->42 44 Tries to steal Mail credentials (via file access) 11->44 46 Tries to harvest and steal ftp login credentials 11->46 52 2 other signatures 11->52 28 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 15->28 dropped 30 C:\Users\user\...\Drivers.exe:Zone.Identifier, ASCII 15->30 dropped 48 Drops PE files to the startup folder 15->48 50 Powershell drops PE file 15->50 24 conhost.exe 15->24         started        26 conhost.exe 20->26         started        file6 signatures7 process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe28%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.Purchase order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      17.2.Drivers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://Aa8zauZezuE3202C2Z.com0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://api.telegram.org4)l0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.microsoft.coo.0%Avira URL Cloudsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.pngHz0%Avira URL Cloudsafe
                      https://api.telegram.orgD8)l0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://jotaSG.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                          		high
                          http://DynDns.comDynDNSDrivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://Aa8zauZezuE3202C2Z.comPurchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpfalse
                            		high
                            https://api.telegram.orgPurchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpfalse
                                		high
                                http://certificates.godaddy.com/repository/0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                  		high
                                  http://certs.godaddy.com/repository/1301Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org4)lPurchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmpfalse
                                      		high
                                      http://crl.godaddy.com/gdig2s1-1823.crl0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                        		high
                                        https://certs.godaddy.com/repository/0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpfalse
                                            		high
                                            https://api.ipify.org%$Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.microsoft.coo.Purchase order.exe, 00000007.00000002.607485458.0000000006BF0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://crl.godaddy.com/gdroot-g2.crl0FPurchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                              		high
                                              https://github.com/Pester/PesterHzpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://crl.godaddy.com/gdroot.crl0FPurchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://pesterbdd.com/images/Pester.pngHzpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://api.telegram.orgD8)lPurchase order.exe, 00000007.00000002.602072770.000000000379E000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://api.ipify.org%GETMozilla/5.0Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		low
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlHzpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://api.telegram.orgPurchase order.exe, 00000007.00000002.601672353.000000000375E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://certificates.godaddy.com/repository/gdig2.crt0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://jotaSG.comDrivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocumentPurchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.392035603.00000000043A1000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531608455.0000000004C11000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocumentdocument-----Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                149.154.167.220
                                                                		unknownUnited Kingdom
                                                                		62041TELEGRAMRUfalse

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:358189
                                                                Start date:25.02.2021
                                                                Start time:07:44:44
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 13m 53s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Sample file name:Purchase order.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:30
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.adwa.spyw.evad.winEXE@14/13@1/1
                                                                EGA Information:Failed
                                                                HDC Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 171
                                                                • Number of non-executed functions: 2
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 168.61.161.212, 52.255.188.83, 104.43.139.144, 51.11.168.160, 104.43.193.48, 2.20.142.210, 2.20.142.209, 51.103.5.159, 52.155.217.156, 92.122.213.194, 92.122.213.247, 20.54.26.129, 40.126.31.1, 40.126.31.135, 20.190.159.138, 40.126.31.6, 40.126.31.4, 40.126.31.8, 40.126.31.139, 40.126.31.141, 23.218.208.56
                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358189/sample/Purchase order.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                07:45:57API Interceptor699x Sleep call for process: Purchase order.exe modified
                                                                07:46:00API Interceptor59x Sleep call for process: powershell.exe modified
                                                                07:46:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                07:46:58API Interceptor307x Sleep call for process: Drivers.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                149.154.167.220WHz0D1UERA.exeGet hashmaliciousBrowse
                                                                  g6ys6ZH0HO.exeGet hashmaliciousBrowse
                                                                    OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                      Quote_13940007.exeGet hashmaliciousBrowse
                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                          crypted.exeGet hashmaliciousBrowse
                                                                            PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                              muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                SKBM 0222..exeGet hashmaliciousBrowse
                                                                                  PO 86540.exeGet hashmaliciousBrowse
                                                                                    Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                      JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                        BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                          Inv_874520.exeGet hashmaliciousBrowse
                                                                                            Inv_95736.scr.exeGet hashmaliciousBrowse
                                                                                              purchase_order.exeGet hashmaliciousBrowse
                                                                                                RFQ_2345.exeGet hashmaliciousBrowse
                                                                                                  Rechnung.exeGet hashmaliciousBrowse
                                                                                                    Shipping_Doc.exeGet hashmaliciousBrowse
                                                                                                      Purchase_Order16-122020.exeGet hashmaliciousBrowse

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                        api.telegram.orgWHz0D1UERA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        g6ys6ZH0HO.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Quote_13940007.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        crypted.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222..exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO 86540.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_874520.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_95736.scr.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        REVISED_INVOICE_Company_BankDetails_fle_doc.xlsx.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        purchase_order.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        RFQ_2345.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Rechnung.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Shipping_Doc.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220

                                                                                                        ASN

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                        TELEGRAMRUWHz0D1UERA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        g6ys6ZH0HO.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Quote_13940007.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        crypted.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222..exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO 86540.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_874520.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_95736.scr.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        purchase_order.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        RFQ_2345.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Rechnung.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Shipping_Doc.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Purchase_Order16-122020.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eHblVSJaQa1.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        FspMzSMtYA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        New Po #0126733 2021.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        530000.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Bitcoin Mining 2021 Feb.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        MT SC GUANGZHOU.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        MT WOOJIN CHEMS V.2103.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        EOrg2020.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Bitcoin Mining 2021 Feb.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        AZjP1E0nRZ.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        x0yccMVTIb.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        WHz0D1UERA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        1i0Bvmiuqg.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Quote_13940007.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Drivers.exe.log
                                                                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):706
                                                                                                        Entropy (8bit):5.342604339328228
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9px
                                                                                                        MD5:3A72FBECA73A61C00EECBDEC37EAD411
                                                                                                        SHA1:E2330F7B3182A857BB477B2492DDECC2A8488211
                                                                                                        SHA-256:2D4310C4AB9ADEFD6169137CD8973D23D779EDD968B8B39DBC072BF888D0802C
                                                                                                        SHA-512:260EBFB3045513A0BA14751A6B67C95CDA83DD122DC8510EF89C9C42C19F076C8C40645E0795C15ADDF57DB65513DD73EB3C5D0C883C6FB1C34165BE35AE3889
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order.exe.log
                                                                                                        Process:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):706
                                                                                                        Entropy (8bit):5.342604339328228
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9px
                                                                                                        MD5:3A72FBECA73A61C00EECBDEC37EAD411
                                                                                                        SHA1:E2330F7B3182A857BB477B2492DDECC2A8488211
                                                                                                        SHA-256:2D4310C4AB9ADEFD6169137CD8973D23D779EDD968B8B39DBC072BF888D0802C
                                                                                                        SHA-512:260EBFB3045513A0BA14751A6B67C95CDA83DD122DC8510EF89C9C42C19F076C8C40645E0795C15ADDF57DB65513DD73EB3C5D0C883C6FB1C34165BE35AE3889
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8003
                                                                                                        Entropy (8bit):4.839308921501875
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                                        MD5:937C6E940577634844311E349BD4614D
                                                                                                        SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                                                                        SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                                                                        SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):19640
                                                                                                        Entropy (8bit):5.572484966310125
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:2t9+Xm2S0uuaR30+biRISBKn7ul9bpaeQ9QRbp2cQwpPTDwiqWJI5jw:q6aR3P/4K7ulDat9qoRgszWJl
                                                                                                        MD5:82FF6947CCC8C0CD577C594B9F9804D9
                                                                                                        SHA1:8F4B30A204F6769EE80AD43A37621C0020EBAE76
                                                                                                        SHA-256:3FBA5040D96FCC73B0BB50A535B7F8ACB0C66592072A6625684CD556C763E8AD
                                                                                                        SHA-512:AB54A229F3030EE75B65326A65D35D6AB89D3FDAFA6AF732453196896AF0DB4A9B3AC99958A836110633A69A3C4B5FB77038A80D9340E0666817AF6AD30ED596
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview: @...e.....................'.g.T.T...Z...'.r..........@..........H...............<@.^.L."My...:?..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)V.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00vk02bh.l3e.psm1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdd0wdgo.1sf.ps1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3u3tnr4.sav.ps1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4ubbksp.mot.psm1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):544256
                                                                                                        Entropy (8bit):7.296683876210466
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:+cQS8AfwkDQl5YClyDAPxxJ/sRP7S0wvGtf:+cn8AfwDl5YClrxj/t0w+t
                                                                                                        MD5:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        SHA1:8919195923883F3842FF78210AB6C6C1E448A10B
                                                                                                        SHA-256:DF61B9C866C5CEB278E173814DDF975B70B5B2E9FCBC5B482326E4163C2E1086
                                                                                                        SHA-512:4055EA00FDF72A82C2D75D7C2DFECDA9E4011708380A493FD6597015779247A03B12262DDA618A88C6AF0EC7447132322C675F1F27A16885CB78DB9728986BD1
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 28%
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6`..............0.................. ........@.. ....................................@.....................................W.......B............................................................................ ............... ..H............text........ ...................... ..`.rsrc...B...........................@..@.reloc...............L..............@..B........................H............0......3...T9..Vf............................................(.......(....}.....(............s....('....*.(,........*".(.....*6.{....o.....*.s.........*.(/....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..r...p}......(J...}.....r...p}.......W...%..,.}.....(.....*.......%.(K...(L....%.r?..p.%.(.....%.r...p.(M........*..{....*"..}....*^..}.....(a......(&....*^...ob...(!......(c....*6.~....(,...&*.(E...r_..p(.........~....~.
                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe:Zone.Identifier
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):26
                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                        Malicious:true
                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                        C:\Users\user\Documents\20210225\PowerShell_transcript.899552.84Dp3uuP.20210225074538.txt
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1201
                                                                                                        Entropy (8bit):5.161841529627427
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:BxSAc7vBVLazx2DOXCgQRabuVM5fWOHjeTKKjX4CIym1ZJXuRabuVM5XnxSAZS:BZwvTL0oOduA+OqDYB1ZJuA3ZZS
                                                                                                        MD5:0DFD33867C55121FFE904CB48324BA7C
                                                                                                        SHA1:EC28CEA1FF2C1903454BE114B1A45601A7F2841A
                                                                                                        SHA-256:26C4FBB8EE86ADC508CCCDE90E9AE3A07AFA06FB9B53F03E33B9AEA905377334
                                                                                                        SHA-512:53D88A52E40DEEB49B40192C2C5BE05778C8CB38F4F8DD37D58E780C37D889C87FE7BF0D868AEF7E3FD5BE0F06AABC65B3490433FBE6F414E363B9C283C463CB
                                                                                                        Malicious:false
                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225074553..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 899552 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..Process ID: 7128..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225074554..**********************..PS>Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..************
                                                                                                        C:\Users\user\Documents\20210225\PowerShell_transcript.899552.Nq+y45_q.20210225074621.txt
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3951
                                                                                                        Entropy (8bit):5.314377925178523
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:BZETL0NlEWqDo1ZKE9ZTTL0NlEWqDo1ZGZxY6HY6HU6vZe:u
                                                                                                        MD5:2E00D0DF7C077195D4F75EC25FBF7D17
                                                                                                        SHA1:FFCA4D5ACB27279BDCED9E75D14BA26213B44D7B
                                                                                                        SHA-256:68AE9A540AF7F57822E45679F3AA45DFB8BF7F1D1DE60FBC535C8D31F11FA637
                                                                                                        SHA-512:8BE5D910DDAEEA0C787359E2C969F0295F0112BEB2C974D295651949B2FD5110879AD913015519982455574DD83BF824C0365E583165555AA087B25BE7FEB96B
                                                                                                        Malicious:false
                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225074643..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 899552 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..Process ID: 7032..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225074643..**********************..PS>Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\eng

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.296683876210466
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                        File name:Purchase order.exe
                                                                                                        File size:544256
                                                                                                        MD5:98be4d3bb2053810801fadeb32884acd
                                                                                                        SHA1:8919195923883f3842ff78210ab6c6c1e448a10b
                                                                                                        SHA256:df61b9c866c5ceb278e173814ddf975b70b5b2e9fcbc5b482326e4163c2e1086
                                                                                                        SHA512:4055ea00fdf72a82c2d75d7c2dfecda9e4011708380a493fd6597015779247a03b12262dda618a88c6af0ec7447132322c675f1f27a16885cb78db9728986bd1
                                                                                                        SSDEEP:12288:+cQS8AfwkDQl5YClyDAPxxJ/sRP7S0wvGtf:+cn8AfwDl5YClrxj/t0w+t
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............0.................. ........@.. ....................................@................................

                                                                                                        File Icon

                                                                                                        Icon Hash:c29ae2e8b9b88670

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x46d0fe
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                        Time Stamp:0x60369DF3 [Wed Feb 24 18:41:55 2021 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6d0a40x57.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x19642.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x6b1040x6b200False0.942199350933data7.98094912825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x6e0000x196420x19800False0.0767176011029data1.97122010304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x880000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        RT_ICON0x6e2200x98fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                        RT_ICON0x6ebb00x10828dBase III DBT, version number 0, next free block index 40
                                                                                                        RT_ICON0x7f3d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                                                        RT_ICON0x836000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                                                        RT_ICON0x85ba80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                                        RT_ICON0x86c500x468GLS_BINARY_LSB_FIRST
                                                                                                        RT_GROUP_ICON0x870b80x5adata
                                                                                                        RT_VERSION0x871140x344data
                                                                                                        RT_MANIFEST0x874580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Version Infos

                                                                                                        DescriptionData
                                                                                                        Translation0x0000 0x04b0
                                                                                                        LegalCopyright
                                                                                                        Assembly Version16.0.0.0
                                                                                                        InternalNamePOWERPNT.exe
                                                                                                        FileVersion16.0.0.0
                                                                                                        CompanyNameMicrosoft Corporation
                                                                                                        CommentsMicrosoft PowerPoint
                                                                                                        ProductNameMicrosoft Office 2016
                                                                                                        ProductVersion16.0.0.0
                                                                                                        FileDescriptionPOWERPNT
                                                                                                        OriginalFilenamePOWERPNT.exe

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Feb 25, 2021 07:47:37.818101883 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:37.869913101 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:37.870048046 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.054549932 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.109113932 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.110987902 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111008883 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111023903 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111037016 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111148119 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.112062931 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.112078905 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.112287045 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.120388031 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.174921989 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.223704100 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.865050077 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.925525904 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.928488016 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:39.025962114 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.538077116 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.583225965 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:39.931586027 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:39.982371092 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.982395887 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.982677937 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:40.033467054 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:40.424951077 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:40.429474115 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:40.480272055 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:40.480581045 CET49748443192.168.2.6149.154.167.220

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Feb 25, 2021 07:45:27.833833933 CET5451353192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:27.882523060 CET53545138.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:28.249928951 CET6204453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:28.322299004 CET53620448.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:29.272773027 CET6379153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:29.324351072 CET53637918.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:30.477871895 CET6426753192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:30.526504040 CET53642678.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:31.658081055 CET4944853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:31.712163925 CET53494488.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:33.108897924 CET6034253192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:33.159143925 CET53603428.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:33.992043018 CET6134653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:34.042870998 CET53613468.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:58.763430119 CET5177453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:58.815009117 CET53517748.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:59.649032116 CET5602353192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:59.697731018 CET53560238.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:00.453399897 CET5838453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:00.502321005 CET53583848.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:02.654409885 CET6026153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:02.703193903 CET53602618.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:03.897804976 CET5606153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:03.952090979 CET53560618.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:04.880928993 CET5833653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:04.931982040 CET53583368.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:05.839903116 CET5378153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:05.889086008 CET53537818.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:07.119414091 CET5406453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:07.179316044 CET53540648.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:08.293875933 CET5281153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:08.342838049 CET53528118.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:17.447737932 CET5529953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:17.500386000 CET53552998.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:18.552854061 CET6374553192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:18.602615118 CET53637458.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:19.561132908 CET5005553192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:19.610884905 CET53500558.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:21.826067924 CET6137453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:21.883124113 CET53613748.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:24.523447990 CET5033953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:24.572088957 CET53503398.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:32.903569937 CET6330753192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:33.915173054 CET6330753192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:33.974131107 CET53633078.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:34.741507053 CET4969453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:34.800889015 CET53496948.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:35.554100990 CET5498253192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:35.572737932 CET5001053192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:35.614238024 CET53549828.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:35.629693985 CET53500108.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:35.657224894 CET6371853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:35.717067957 CET53637188.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:36.573292971 CET6211653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:36.633711100 CET53621168.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:37.389599085 CET6381653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:37.449058056 CET53638168.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:38.372221947 CET5501453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:38.422899008 CET53550148.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:39.503551960 CET6220853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:39.553471088 CET53622088.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:41.097889900 CET5757453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:41.149591923 CET53575748.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:42.437510014 CET5181853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:42.496706963 CET53518188.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:43.218672037 CET5662853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:43.278783083 CET53566288.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:53.585944891 CET6077853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:53.646032095 CET53607788.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:54.289232969 CET5379953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:54.338109970 CET53537998.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:08.816586971 CET5468353192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:08.879374981 CET53546838.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:10.785978079 CET5932953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:10.837296963 CET53593298.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:12.237906933 CET6402153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:12.312980890 CET53640218.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:37.528059959 CET5612953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:37.584954023 CET53561298.8.8.8192.168.2.6

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Feb 25, 2021 07:47:37.528059959 CET192.168.2.68.8.8.80x7e5Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Feb 25, 2021 07:46:53.646032095 CET8.8.8.8192.168.2.60x3d85No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Feb 25, 2021 07:47:37.584954023 CET8.8.8.8192.168.2.60x7e5No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                        HTTPS Packets

                                                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                        Feb 25, 2021 07:47:38.112062931 CET149.154.167.220443192.168.2.649748CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                        CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                        CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                        OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                                                        Code Manipulations

                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        Analysis Process: Purchase order.exe PID: 7072 Parent PID: 6140

                                                                                                        General

                                                                                                        Start time:07:45:34
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\Desktop\Purchase order.exe'
                                                                                                        Imagebase:0xd20000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000003.324926849.0000000001303000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: powershell.exe PID: 7128 Parent PID: 7072

                                                                                                        General

                                                                                                        Start time:07:45:36
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                                                                                        Imagebase:0xd30000
                                                                                                        File size:430592 bytes
                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:high

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: conhost.exe PID: 7144 Parent PID: 7128

                                                                                                        General

                                                                                                        Start time:07:45:36
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff61de10000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: Purchase order.exe PID: 5132 Parent PID: 7072

                                                                                                        General

                                                                                                        Start time:07:45:37
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Imagebase:0x1f0000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: Purchase order.exe PID: 2040 Parent PID: 7072

                                                                                                        General

                                                                                                        Start time:07:45:38
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Imagebase:0xf90000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: Drivers.exe PID: 5988 Parent PID: 3440

                                                                                                        General

                                                                                                        Start time:07:46:14
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                                                                                        Imagebase:0x10000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000003.412342681.0000000000756000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.429837387.0000000004B20000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 28%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: powershell.exe PID: 7032 Parent PID: 5988

                                                                                                        General

                                                                                                        Start time:07:46:17
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                                                                                        Imagebase:0xd30000
                                                                                                        File size:430592 bytes
                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:high

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: conhost.exe PID: 7120 Parent PID: 7032

                                                                                                        General

                                                                                                        Start time:07:46:17
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff61de10000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: Drivers.exe PID: 4924 Parent PID: 5988

                                                                                                        General

                                                                                                        Start time:07:46:19
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Imagebase:0x800000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Disassembly

                                                                                                        Code Analysis

                                                                                                        Reset < >

                                                                                                          Analysis Process: Purchase order.exe PID: 7072 Parent PID: 6140 Purchase order.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 015B6F80, Relevance: 3.4, Instructions: 3426COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3ebc7e60ca50dce9eb13f759822af99e6d269d77f74b5ed789bf12ddb663ec48
                                                                                                          • Instruction ID: 04a85b0c43bb2f21e87eeaa50c96535116bb875ca18645fa9dd06ac6359eddcd
                                                                                                          • Opcode Fuzzy Hash: 3ebc7e60ca50dce9eb13f759822af99e6d269d77f74b5ed789bf12ddb663ec48
                                                                                                          • Instruction Fuzzy Hash: E8731D74A006198FDB24DF68C8C8ADDBBB6BF89314F158599D5099B3A1DB34ED81CF40
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B58D8, Relevance: .3, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1f6d67fe3a52f6f84dac295c195b65fc876763ff9062023e419d5ead1f018d72
                                                                                                          • Instruction ID: da5f2f636a751a48e67da39081a23ce96f8c98c79165375f5e2f52b5034463d0
                                                                                                          • Opcode Fuzzy Hash: 1f6d67fe3a52f6f84dac295c195b65fc876763ff9062023e419d5ead1f018d72
                                                                                                          • Instruction Fuzzy Hash: 6A81A030B142188FDB189F7594956BE7AB7BFC8314B15882EE417EB388EF349C059B91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BB119, Relevance: .4, Instructions: 354COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 09c01c0b49b3299f6e5fb0b1ba3928f15c321b56fb6edecd0516404afe99853d
                                                                                                          • Instruction ID: 7952fc2e607fff37611e4899e47d19e6bcf0835a75797187d82759306aeab9dc
                                                                                                          • Opcode Fuzzy Hash: 09c01c0b49b3299f6e5fb0b1ba3928f15c321b56fb6edecd0516404afe99853d
                                                                                                          • Instruction Fuzzy Hash: 53121774910219CFCB50DFA8E845A9DBFB1FF89300F0085AAE509A7350EB756E84DF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BB128, Relevance: .3, Instructions: 349COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c5d24574cc1637721bcd923aaf9165aa0ed422accb909b5ec91e8d7e5dec9940
                                                                                                          • Instruction ID: 9097d00aeb5d7f2b080d5a7d54f90bedc072a7d0612edb61845649d7b07cece8
                                                                                                          • Opcode Fuzzy Hash: c5d24574cc1637721bcd923aaf9165aa0ed422accb909b5ec91e8d7e5dec9940
                                                                                                          • Instruction Fuzzy Hash: 97020674910219CFCB50DFA8E845A9DBFB1FF89300F1085AAE50AA3350EB756E85DF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B6930, Relevance: .3, Instructions: 327COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5d71988348cd9a705828597b05171e05cf92b4ac5c08c74e3cd647ba863c84e6
                                                                                                          • Instruction ID: 2ebf3ab4a0d69bd095ffb0b0781c5519764f82afed4ea486f44b951a4a8f6284
                                                                                                          • Opcode Fuzzy Hash: 5d71988348cd9a705828597b05171e05cf92b4ac5c08c74e3cd647ba863c84e6
                                                                                                          • Instruction Fuzzy Hash: FAC15830B101199FCB149FA8D894AAE7BF6FF88754F158469E906DB3A0DB31DC41CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5C50, Relevance: .2, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 74d542ac74391024aa0f10a3cb15b30ea3f6b5aef0cbd90b1a80ee6917103bbd
                                                                                                          • Instruction ID: d75ea323ef93ff04fff6a6fffbc3b602165154668edabef6447ce4057a6cafcc
                                                                                                          • Opcode Fuzzy Hash: 74d542ac74391024aa0f10a3cb15b30ea3f6b5aef0cbd90b1a80ee6917103bbd
                                                                                                          • Instruction Fuzzy Hash: DB818374E002189FCB54CFA9D994A9DBBF1FF89314F2181A9E919AB365DB30AC45CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5C60, Relevance: .2, Instructions: 176COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0da8cd447dd3d6a2d23006ece39cc5c4d597f5285d5821f095048520ba113d56
                                                                                                          • Instruction ID: 423c5532dd91382484e46d36f0912ab888fe473a0104db0cf77c731b5c710ae5
                                                                                                          • Opcode Fuzzy Hash: 0da8cd447dd3d6a2d23006ece39cc5c4d597f5285d5821f095048520ba113d56
                                                                                                          • Instruction Fuzzy Hash: C5818174E002189FCB54DFA9D994A9DBBF1BF89314F2181A9E919AB361DB30AC45CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B57A8, Relevance: .1, Instructions: 134COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c4df631e6d48c5c0d28b6226b1359d64417871bb07dd5e14f51c7289f857648f
                                                                                                          • Instruction ID: c2335a84beb377d729b3fb105a015ced68b1be793887cc5c5055409c089469c0
                                                                                                          • Opcode Fuzzy Hash: c4df631e6d48c5c0d28b6226b1359d64417871bb07dd5e14f51c7289f857648f
                                                                                                          • Instruction Fuzzy Hash: E251A075E102099FCB44DFA9D5859EDBBF2FF89310F24806AE905AB360DB31A902CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B6920, Relevance: .1, Instructions: 126COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cce2ed5aede5ef09db8aa68609b5fa1fb4c500340e53c9ded22bc0ba1e2f4768
                                                                                                          • Instruction ID: 94ae9cd2344c758bb8032d0501999f3a5000d3ce485a1e726147133b89eb3f52
                                                                                                          • Opcode Fuzzy Hash: cce2ed5aede5ef09db8aa68609b5fa1fb4c500340e53c9ded22bc0ba1e2f4768
                                                                                                          • Instruction Fuzzy Hash: 97511331A11219DFCB25CF69D988AEEBBF1FF48711F15846AE805AB361DB30D844CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B71E7, Relevance: .1, Instructions: 117COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c065799fed8e86faf35c3b9079106e29500247f2a824e9f6acc3a86bc892b447
                                                                                                          • Instruction ID: a053b9571d6685c6c99ac82676d24fed3bd1caa933642290f301a837171331db
                                                                                                          • Opcode Fuzzy Hash: c065799fed8e86faf35c3b9079106e29500247f2a824e9f6acc3a86bc892b447
                                                                                                          • Instruction Fuzzy Hash: 5541653070051A9FDB05AF68D895AEEBBB6FFC8344F058429F9029B290DB30DC568B90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5658, Relevance: .1, Instructions: 114COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d2d14973cc72f1c75f1698dfc1ca9898a130438c813827fd22a0bb77c65829ab
                                                                                                          • Instruction ID: 56b71aac55ded602aeab08a1f2689dfd8b4ee15bcdd1d57cde13fa187316c696
                                                                                                          • Opcode Fuzzy Hash: d2d14973cc72f1c75f1698dfc1ca9898a130438c813827fd22a0bb77c65829ab
                                                                                                          • Instruction Fuzzy Hash: 3741B674E012099FCB44DFA9D59499EBBF2FF89300F14806AE915BB360DB31A905CF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5668, Relevance: .1, Instructions: 109COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 56fe8d4d3c5aa150fbe2aabb079da6370273d8a263c601ba8a40384ddf712aa0
                                                                                                          • Instruction ID: 50eb4834e5da4906259f447a88d759c586c0e219c473974333a2c2b5c02ab071
                                                                                                          • Opcode Fuzzy Hash: 56fe8d4d3c5aa150fbe2aabb079da6370273d8a263c601ba8a40384ddf712aa0
                                                                                                          • Instruction Fuzzy Hash: 22418274E012099FCB48DFA9D594AAEBBF2FF89310F108069E915BB360DB31A905CF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B4590, Relevance: .1, Instructions: 102COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ed7ebd45a46ec4721738450f3836ce44ccc1a3875020f0a6b8fe288b4abdf99e
                                                                                                          • Instruction ID: e1b59a677b3b418b648bf1559472dab72ed2f928ac2726773ee1873815ee6c33
                                                                                                          • Opcode Fuzzy Hash: ed7ebd45a46ec4721738450f3836ce44ccc1a3875020f0a6b8fe288b4abdf99e
                                                                                                          • Instruction Fuzzy Hash: 2E3189347041288BCB44AF78D4509AE37E6FB856987108539DA06DFBA0EF399C0987D6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B60C0, Relevance: .1, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 638b86bd72f32c293688b6d808ca3846b4519f56c1a873fa6e50797779e699f4
                                                                                                          • Instruction ID: 66175f07f3e5e57d85b4b98217f8e583d6aa24c9dea8e713d9e163e016cf20eb
                                                                                                          • Opcode Fuzzy Hash: 638b86bd72f32c293688b6d808ca3846b4519f56c1a873fa6e50797779e699f4
                                                                                                          • Instruction Fuzzy Hash: D6311A74E022199FCB18DFA5D850AEEB7B2FF89304F108869D81577390CB359945CBA9
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B49D0, Relevance: .1, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e2d6aea3b0adf0f4e5a8462f8e58615ea518ae2e92f66c0d8f1846d3621bcd25
                                                                                                          • Instruction ID: 45b8356109390b0ad751ad39f292333f70e9ae4dbf2fdf55bea9cbdb6a4f42a5
                                                                                                          • Opcode Fuzzy Hash: e2d6aea3b0adf0f4e5a8462f8e58615ea518ae2e92f66c0d8f1846d3621bcd25
                                                                                                          • Instruction Fuzzy Hash: A841C575E012089FCB44DFA9D5949DEBBF2FF89314F20806AE905AB361DB35A905CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5F59, Relevance: .1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a9a562d78e36dce600852adf060a9c685f1f5d3ded33100cc61652e97a2705ec
                                                                                                          • Instruction ID: ca0d6f5cd89540ca3c0133dd72c04c5e3de242c4354e8c2a7af5941f7dca96b5
                                                                                                          • Opcode Fuzzy Hash: a9a562d78e36dce600852adf060a9c685f1f5d3ded33100cc61652e97a2705ec
                                                                                                          • Instruction Fuzzy Hash: 2A41D774E002099FDB04EFA5D894AEEBBB2FB88304F208469D91577350DB396D05CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B60D0, Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ee44d50bb6474998ddd915be89216d82d75ad1b7151d882c6d956872dab0a072
                                                                                                          • Instruction ID: cd77990495ce445cc16e75ff1d25d2194bd6c1493b3150138cd2b0f81bfbd68e
                                                                                                          • Opcode Fuzzy Hash: ee44d50bb6474998ddd915be89216d82d75ad1b7151d882c6d956872dab0a072
                                                                                                          • Instruction Fuzzy Hash: A1310774E012199FCB18DFA5D850AEEB7B2FF89304F108869D81577390CB359945CBA9
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B57B8, Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: aa541a1bb72f66d5b7edb65d06f7b340d25845230836ac453c371733623a5aa5
                                                                                                          • Instruction ID: 82db4703fe07c1525b5249eb0a309fba4220a1ca683eb929bf0dd14cb92c570a
                                                                                                          • Opcode Fuzzy Hash: aa541a1bb72f66d5b7edb65d06f7b340d25845230836ac453c371733623a5aa5
                                                                                                          • Instruction Fuzzy Hash: 64418174E112099FCB48DFA9D5949DEBBF2BF89300F20806AE805AB360DB35A901CF54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5F60, Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8fc500b64bcc2f80437ae3ffae41104d3cd411cc99f93ede64d35665288f3629
                                                                                                          • Instruction ID: 9474311161e8c28fedbc9dc56f04613fa57004aa12f3c4e41caaf40d7de96f75
                                                                                                          • Opcode Fuzzy Hash: 8fc500b64bcc2f80437ae3ffae41104d3cd411cc99f93ede64d35665288f3629
                                                                                                          • Instruction Fuzzy Hash: F841D574E002099FDB04EFA4D854AEEBBB2FB88304F208469D91577360DB396D05CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B49E0, Relevance: .1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 842474866adf45fefd95dba71a31aa7de57d48ad3be6a9a33d6d1beba2f294d1
                                                                                                          • Instruction ID: 4565cc6466227ebb8a3db2758c4de56b06a73f2ee10c0c4c4591797137799599
                                                                                                          • Opcode Fuzzy Hash: 842474866adf45fefd95dba71a31aa7de57d48ad3be6a9a33d6d1beba2f294d1
                                                                                                          • Instruction Fuzzy Hash: AD41A174E012099FCB48DFA9D5949DEBBF2FF89304F208069E915AB360DB31A901CF54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B4580, Relevance: .1, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 55c05590c37ce575a90090800955ee10b56e0d5b2ed95ff1ba7745765f170644
                                                                                                          • Instruction ID: 635a9b9f0930c80c23cfc1082386cedadd7371ff20c9c19603036dbf94c45ce6
                                                                                                          • Opcode Fuzzy Hash: 55c05590c37ce575a90090800955ee10b56e0d5b2ed95ff1ba7745765f170644
                                                                                                          • Instruction Fuzzy Hash: 142123357041148FDB44AFB8E8516EE37E6FB85698B10803AD906DF391DF3A9C0987C6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0155D4CC, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333489388.000000000155D000.00000040.00000001.sdmp, Offset: 0155D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 348ab6ccd5243e685f1c09d08fd63310bc4744c0e8596db079980ceca99637b9
                                                                                                          • Instruction ID: 9ba3c1121906fcd50c973a205e3843b586d1101f73ae567a54b82d764ae2072f
                                                                                                          • Opcode Fuzzy Hash: 348ab6ccd5243e685f1c09d08fd63310bc4744c0e8596db079980ceca99637b9
                                                                                                          • Instruction Fuzzy Hash: 3E2106B2504240DFDB45DF94D9D0B2ABFB5FB88328F24896AED054F246C336D845CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BAA18, Relevance: .1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 931c2d175fd32f4c8f85501d64e90eb3d87dcea7541fa0e344160bc52edc55f8
                                                                                                          • Instruction ID: 28a31ff2f4f02b2b38fcee6cb06cea40fdb95081ac7a1edc572440262025063d
                                                                                                          • Opcode Fuzzy Hash: 931c2d175fd32f4c8f85501d64e90eb3d87dcea7541fa0e344160bc52edc55f8
                                                                                                          • Instruction Fuzzy Hash: 4F31E678E00209CFCB05DFA9D891AEEBBB2FF89304F108469D905A7750DB35A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BAA28, Relevance: .1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d244a80886822dce9497b2d3fb536c260ee9bdfff9c848f060e12db372aabd7a
                                                                                                          • Instruction ID: a7a055e90e7671b29d638ad7e0b7b13d82c5746894ef8917ce49771dafdb9ae1
                                                                                                          • Opcode Fuzzy Hash: d244a80886822dce9497b2d3fb536c260ee9bdfff9c848f060e12db372aabd7a
                                                                                                          • Instruction Fuzzy Hash: A121D474E00209CFCB05DFA9D9909EEBBB2FF89304F208469D905A7360DB35A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3FD8, Relevance: .1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f132dbf8f3e963848c29d590572a7b9615df97fd3b38d9ca6f0825b236bf31fa
                                                                                                          • Instruction ID: 8c2aab395dfa191f5163cea8dfc46947c7cdb01fe2edb96961f2d7c55eefd926
                                                                                                          • Opcode Fuzzy Hash: f132dbf8f3e963848c29d590572a7b9615df97fd3b38d9ca6f0825b236bf31fa
                                                                                                          • Instruction Fuzzy Hash: ED212575D042099FDB04DFA8D884AEEBBF1FB48304F20846AD505BB260EB395E45CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3FE8, Relevance: .1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 137a0b233eb106be12c5d4b45356a92d9f3f14e4c913d5ffb946a2504f64de66
                                                                                                          • Instruction ID: f97e143789e31ff9666cb7064235d9e4ef8f1dae88b936aca3857987beb749a0
                                                                                                          • Opcode Fuzzy Hash: 137a0b233eb106be12c5d4b45356a92d9f3f14e4c913d5ffb946a2504f64de66
                                                                                                          • Instruction Fuzzy Hash: 44210474D0420D8FDB04DFA9D484AEEBBF1FB48304F10846AD905AB260EB395E45CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B40A9, Relevance: .1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 66b4b312f0a2ca9f6ae8aed5b832bb0c8b89ecac7729ff86edf419011a0bf176
                                                                                                          • Instruction ID: e07c49d7a6df6f0c09f3ee7a6895996051d0100ed5936face1d90dab9172d9ef
                                                                                                          • Opcode Fuzzy Hash: 66b4b312f0a2ca9f6ae8aed5b832bb0c8b89ecac7729ff86edf419011a0bf176
                                                                                                          • Instruction Fuzzy Hash: B1215974E0020E9FEB14EFA4D8516EEBB72FB88304F108829D91177390DB395D15CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0155D4C7, Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333489388.000000000155D000.00000040.00000001.sdmp, Offset: 0155D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                                                                                                          • Instruction ID: 5c8aa201b5f0371415935fad208d682a6ac25613a3ae790bb4e1eeb0e5978c73
                                                                                                          • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                                                                                                          • Instruction Fuzzy Hash: 8911B176404280CFCB46CF54D5D4B1ABF72FB84328F2486AADC050F656C33AD55ACBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B40B8, Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a2492e5816f0d13ac665fe231151dac089b407966732e1adf2d35990eb3f3be1
                                                                                                          • Instruction ID: 7cc9976e313fb9ae75f25e3434e146084175c56914b8174b7861ef3a2d8dfc61
                                                                                                          • Opcode Fuzzy Hash: a2492e5816f0d13ac665fe231151dac089b407966732e1adf2d35990eb3f3be1
                                                                                                          • Instruction Fuzzy Hash: 9E110774D0020E9FDB14EFA4D8556EEBB72FB88304F108829DA1177354DB391D15CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3EB8, Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5d842f66b28fa31d0739f59c1fc6d50e46d84fd8e3e6927c37174433997857b7
                                                                                                          • Instruction ID: 15a1b535e27a42996409c68fc7a58589dcc52a5921b9960beafa3db08b3c8659
                                                                                                          • Opcode Fuzzy Hash: 5d842f66b28fa31d0739f59c1fc6d50e46d84fd8e3e6927c37174433997857b7
                                                                                                          • Instruction Fuzzy Hash: 6A111634910108DFD780EFA8E489A8DBBF1FB48704F2085A9D915EB360E7389E45CF84
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BAF37, Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b331c8f69312cf8e6d4da1a50f16fc98c8394279647e7ecb850c40a06c52ff88
                                                                                                          • Instruction ID: 6cf050ac261bb4ac473bb537676edc20fe90246a1f17ba5258e8d7298238b570
                                                                                                          • Opcode Fuzzy Hash: b331c8f69312cf8e6d4da1a50f16fc98c8394279647e7ecb850c40a06c52ff88
                                                                                                          • Instruction Fuzzy Hash: EC011E71D5020DAFCB81EFA8E8856DCBBF1FB84208F0088A9C504A7650EF362A09CB55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3F59, Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1a3a66b3486692c2d597b5849c8f63012a0051dfec41d8d6fe39974397f529a2
                                                                                                          • Instruction ID: f446e87767074dd7c6592ef825f49c2343f90aa2186723fc865bc5443a09b47f
                                                                                                          • Opcode Fuzzy Hash: 1a3a66b3486692c2d597b5849c8f63012a0051dfec41d8d6fe39974397f529a2
                                                                                                          • Instruction Fuzzy Hash: EE0148B8D04208DFDB44DFA9D9856ADBBF5FB48310F2085AAD814A7311EB389A41CB80
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3EC8, Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 388bedbd2c1a66745003050e0b546eba975e967e2a28b8ed308a9e15aa665c8a
                                                                                                          • Instruction ID: 8584340a91e802a4dbea25757543da422ee4167958603cb5d9f234e7cfb8a2dd
                                                                                                          • Opcode Fuzzy Hash: 388bedbd2c1a66745003050e0b546eba975e967e2a28b8ed308a9e15aa665c8a
                                                                                                          • Instruction Fuzzy Hash: 4111D374910208DFCB80EFA8D488A9DBBF5FF48604B1185A9D915E7360E774AE44CF80
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5388, Relevance: .0, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 142c7dd259227ecf9fc5dc04afc46f25b49c6d113b99d4ac5ac5e1da8fe93efd
                                                                                                          • Instruction ID: 51ac3511d99145ade97ac3c7f57900150758cb2b17df22916c184b85537ca42d
                                                                                                          • Opcode Fuzzy Hash: 142c7dd259227ecf9fc5dc04afc46f25b49c6d113b99d4ac5ac5e1da8fe93efd
                                                                                                          • Instruction Fuzzy Hash: FD11AC71924349CFC742DFA8E88A5DC7FB1FB08308B008AAAD001A7760EB391D09CF85
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B4178, Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0b7d287aa8c752b79713e7dcff34ed4277cb17de5a97e00894d74ac8663ca239
                                                                                                          • Instruction ID: 76170d84405d9818aceddcaf2e745ea05714589e0224a7c71af1ba903a9fa602
                                                                                                          • Opcode Fuzzy Hash: 0b7d287aa8c752b79713e7dcff34ed4277cb17de5a97e00894d74ac8663ca239
                                                                                                          • Instruction Fuzzy Hash: C9018171E0829A9FDF22DFA8DC505ED7BB0FF46204F0584AAD512AB261E7385D06CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5398, Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 425f490211466662029e690f80f5f21d6f8a2cca0129506589a49d378e735832
                                                                                                          • Instruction ID: 0f61ccc15218ed63ad6f8fe89cc28a537c74adcf4034c9f94c02f761fb8494ab
                                                                                                          • Opcode Fuzzy Hash: 425f490211466662029e690f80f5f21d6f8a2cca0129506589a49d378e735832
                                                                                                          • Instruction Fuzzy Hash: B3012974921209DFCB41EFA8E88A5DD7BF1FB08304B0089AAD505E3710EB792E04CF85
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BAF48, Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 58867f18dd9b19dac8058f815efcd091ea8fb14094c64ead8ade23b91fdc8191
                                                                                                          • Instruction ID: 25d3979873d51ecaf9cc4220298c110d14c98f50baec195837244731060e689d
                                                                                                          • Opcode Fuzzy Hash: 58867f18dd9b19dac8058f815efcd091ea8fb14094c64ead8ade23b91fdc8191
                                                                                                          • Instruction Fuzzy Hash: 5901AC71D10209AFCB81EFA8E8955DDBBF1FB84208F1089A99505A7250EB362E45CB95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3F68, Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: daa9f647dd42be28a98d98fa4898a565dc2b34eb636c15ed3934bf310c8122b0
                                                                                                          • Instruction ID: dc34f42cb82ff979f292891f727a63bf795b9726acc601486975827c14f3a6a9
                                                                                                          • Opcode Fuzzy Hash: daa9f647dd42be28a98d98fa4898a565dc2b34eb636c15ed3934bf310c8122b0
                                                                                                          • Instruction Fuzzy Hash: 0D0119B8D04208DFCB44DFA9D5855ADBBF1FB48300F10C9AAD814A7325EB349A41CF81
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5ED8, Relevance: .0, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cb1c08c5243069efa1546c41a4c07d50e372948043981f36f9741f883059016d
                                                                                                          • Instruction ID: 782db156554887d9033e5ddcdc18a9dacf101eaca4e0230c0d37a4d7ca7436db
                                                                                                          • Opcode Fuzzy Hash: cb1c08c5243069efa1546c41a4c07d50e372948043981f36f9741f883059016d
                                                                                                          • Instruction Fuzzy Hash: 5EE09A32875309DFC3419F60B88E3BA7FA4F70A306F00AC9AF40982600EF341948EB10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5578, Relevance: .0, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3aa5bd8812403dfb4950eb650240db55a218c03cef959c758024c582b86253a1
                                                                                                          • Instruction ID: 691414e02eb34104098d1d14978b4d72cd15521f5fac15bcc71c3d986f954f7d
                                                                                                          • Opcode Fuzzy Hash: 3aa5bd8812403dfb4950eb650240db55a218c03cef959c758024c582b86253a1
                                                                                                          • Instruction Fuzzy Hash: 58F08275821308DFC740EFA8E8497DC7FF0EB08305F108466D804E3610EA346A45EB55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5588, Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 615e0321c129a3ad0cc1717c96fffcb7d97e6a04f5faaa0374eadae41ec5a8f4
                                                                                                          • Instruction ID: e25b4d1bfb08fc4fb925f5ace55439105e2d20ef5c5d722235d6b2f7467bac6f
                                                                                                          • Opcode Fuzzy Hash: 615e0321c129a3ad0cc1717c96fffcb7d97e6a04f5faaa0374eadae41ec5a8f4
                                                                                                          • Instruction Fuzzy Hash: 85E0C974921208DFC740EFB8E94969DBFB5EB08305F1089A6D905E3250EB346E45DB95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5EE8, Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4c391b48d0bd42bbc230d540a0b501784a6a0aad792fc122dd24baf1ddd4ba4c
                                                                                                          • Instruction ID: 9b367071da23b57e41ba864570f035eb779e8fb652dd1246a3d383430b64684a
                                                                                                          • Opcode Fuzzy Hash: 4c391b48d0bd42bbc230d540a0b501784a6a0aad792fc122dd24baf1ddd4ba4c
                                                                                                          • Instruction Fuzzy Hash: F6E0B630835309DFD701AF64A55E66A7FA8EB0A306F00AC5AB40A92100EF300908EB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B6224, Relevance: .0, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 27b68df3f424b9ea556034741a99bf4c1a8f07e7a31e47b34f0c7ddeede0f37d
                                                                                                          • Instruction ID: 8013aada66b7c7135d0c936847e943e33adffb80b56c7337d0724c2ed4d00c5e
                                                                                                          • Opcode Fuzzy Hash: 27b68df3f424b9ea556034741a99bf4c1a8f07e7a31e47b34f0c7ddeede0f37d
                                                                                                          • Instruction Fuzzy Hash: F0D0C227A081848FCB114AE9ACA50E47F70F98720274581DBD140EE061D210D60A9360
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B6DFA, Relevance: .0, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ced5477798aa327fbd67298d95f641874dd836f4eb71bf0bd0fa9ccd817cbe00
                                                                                                          • Instruction ID: 50e78bb0336b60c04b0e30d7ffc1f71e2df5aa5f90e91e20282d7ae754880f7b
                                                                                                          • Opcode Fuzzy Hash: ced5477798aa327fbd67298d95f641874dd836f4eb71bf0bd0fa9ccd817cbe00
                                                                                                          • Instruction Fuzzy Hash: 20D05E7215420C6FDB510E61EC4D7BB7FE5F710321F459836F800C9141DA31D24CE614
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5E98, Relevance: .0, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9c2f7a14378292cb477ea67b2825970c3702fe00d3ece6f98a14a707cfad610c
                                                                                                          • Instruction ID: 6362d6cf180d326042e7bdddcb739152384265f4f246448a79d083f0276fa19d
                                                                                                          • Opcode Fuzzy Hash: 9c2f7a14378292cb477ea67b2825970c3702fe00d3ece6f98a14a707cfad610c
                                                                                                          • Instruction Fuzzy Hash: 7ED0C2318221088BD304DFD0EBD63FC7B34EB02309F209C66940427250DB31490DD644
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B5EA8, Relevance: .0, Instructions: 17COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 782c27f2762a443713d7b898a713af91c2a3542d589067027dfe14c1e9e03f5e
                                                                                                          • Instruction ID: a420603bf5531d554fa07592f523e86c1c53595cdbf873884c3e73863fb97be9
                                                                                                          • Opcode Fuzzy Hash: 782c27f2762a443713d7b898a713af91c2a3542d589067027dfe14c1e9e03f5e
                                                                                                          • Instruction Fuzzy Hash: 0ED0A73082710C9FC304EF94DA557FDBFBCE706309F009C99940423200EF315908DA54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3E40, Relevance: .0, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 135c4e48deb40f4a6705c085be696c66984d044888300e8700b9d26daac944d7
                                                                                                          • Instruction ID: 1ed1d0380cd917d1ce8b94e66d114f9de48c1162a1c1474fb0a1acf6e236b704
                                                                                                          • Opcode Fuzzy Hash: 135c4e48deb40f4a6705c085be696c66984d044888300e8700b9d26daac944d7
                                                                                                          • Instruction Fuzzy Hash: 92D022308613189FC3588BACE4997EF7B68FF0334CF010A62E8042B012E3724819C684
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B61F9, Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 952cec59f8b4c81def26f7ce754c82a4fbcaef6b2f3cf858c62420726039d1e9
                                                                                                          • Instruction ID: 47030fbc63bf0ea7b24ef2dc5556fe1f3add86f4cdcdeb56a00992a5a7af24a2
                                                                                                          • Opcode Fuzzy Hash: 952cec59f8b4c81def26f7ce754c82a4fbcaef6b2f3cf858c62420726039d1e9
                                                                                                          • Instruction Fuzzy Hash: 30D0523304828CBFCB020F80EC02AEA3F36EB0A311F448482FA44580A2CA739130FB75
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B6E08, Relevance: .0, Instructions: 13COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7d26414421f3b7bd5d7d84367dc6b8c5cf653167b0eb3ad7c88bc1256f7f7206
                                                                                                          • Instruction ID: 4ec2c7980819b2ebd223a71bae17c5ca5f967a22a3a5ad52fd1cf4ec4e911ed7
                                                                                                          • Opcode Fuzzy Hash: 7d26414421f3b7bd5d7d84367dc6b8c5cf653167b0eb3ad7c88bc1256f7f7206
                                                                                                          • Instruction Fuzzy Hash: 6AD0A9312003089FDB100E61E808B2B7EDABB00210F008825E800CA040DB30C048E610
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B3E50, Relevance: .0, Instructions: 11COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f7f7d67379dde6917ad730ea7fe25f6c541f2c7e5c8780f8ce7f6c79556a05b4
                                                                                                          • Instruction ID: fc5552bad5143f584285be26d246325caa3f0cb207642f9ed0920666861a3459
                                                                                                          • Opcode Fuzzy Hash: f7f7d67379dde6917ad730ea7fe25f6c541f2c7e5c8780f8ce7f6c79556a05b4
                                                                                                          • Instruction Fuzzy Hash: 16C02B304127084BC11416DC704C3F87A5CB30330DF401D11E10C120110B705404C194
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015B6208, Relevance: .0, Instructions: 10COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 53046ff18de8011a84cfcaf984b8ca432cb06ab69bec88708bc5bb6ab2cbe2b7
                                                                                                          • Instruction ID: c5b8a863c7d479a708ad686c4bef427512b8f47803a403072913090f7d83e88b
                                                                                                          • Opcode Fuzzy Hash: 53046ff18de8011a84cfcaf984b8ca432cb06ab69bec88708bc5bb6ab2cbe2b7
                                                                                                          • Instruction Fuzzy Hash: 09C0023604020DBFCF025EC1EC05EDA7F2AEB08750F008401FA191806287B39570BBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Function 015BBC1D, Relevance: .2, Instructions: 200COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 249bde32910e7ee890f807983318854b1dd618bb9e879f0283203c6e6870e3c8
                                                                                                          • Instruction ID: bfe5631c18b66a9611b1e4ef489ba45a43fc52ffb3f4b0ae20ca02813d6ea27b
                                                                                                          • Opcode Fuzzy Hash: 249bde32910e7ee890f807983318854b1dd618bb9e879f0283203c6e6870e3c8
                                                                                                          • Instruction Fuzzy Hash: 4681BE71D156468FC744DFB9E8916CA7FF2EF89304F04C87AD004AB660EF3968099B96
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015BBC88, Relevance: .2, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.333609144.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 116344cf1964ab3869a6acffd485404bb4abf47d6cbdf9ca3a4d1f3a38d87e94
                                                                                                          • Instruction ID: 41e7961e1eb64eb84543707cdd7eabc0da9dd1e074838f24b0d859d364e55bb8
                                                                                                          • Opcode Fuzzy Hash: 116344cf1964ab3869a6acffd485404bb4abf47d6cbdf9ca3a4d1f3a38d87e94
                                                                                                          • Instruction Fuzzy Hash: BC618F71E106068FD744DFAAE49168E7FF2FBC8304F04C83AD104AB264EF7969059B95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Analysis Process: Purchase order.exe PID: 2040 Parent PID: 7072 Purchase order.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 01739128, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596797298.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: InitializeThunk
                                                                                                          • String ID:
                                                                                                          • API String ID: 2994545307-0
                                                                                                          • Opcode ID: 6b19fa69f83d642365df04fb1ae432bd00b72709cfe056c87d43aac9a528ded9
                                                                                                          • Instruction ID: ef1a72e30d5759599fedc77bb99ba5a9a95d188703ad11c6dbbb43bee923245e
                                                                                                          • Opcode Fuzzy Hash: 6b19fa69f83d642365df04fb1ae432bd00b72709cfe056c87d43aac9a528ded9
                                                                                                          • Instruction Fuzzy Hash: A0621931E006198FCB64EF78C85469EB7F2BF89304F1085A9D54AAB355EF309E85CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D2D50, Relevance: .9, Instructions: 891COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3dcfd382dbad5527eb856cb9314c6120d88458e4744a0404cd6f476bbe867d3a
                                                                                                          • Instruction ID: f3731d6bd39b9ad3791cafb5e3fd73881bf4a00aba5b98f61d404fedb720e556
                                                                                                          • Opcode Fuzzy Hash: 3dcfd382dbad5527eb856cb9314c6120d88458e4744a0404cd6f476bbe867d3a
                                                                                                          • Instruction Fuzzy Hash: 6D8239B0A012059FCB65CF6CC984AAEBBF2FF88314F158569E545AF261D730ED41CB52
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D1FE2, Relevance: .5, Instructions: 522COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dce6c19d9f76fbc564adc6c4fdd75f4b12b142fce91924412d2347b1f9b234e3
                                                                                                          • Instruction ID: fe7f7f8c92f6495a20368912244331efd4feb0660f6dc65e3b0fe490828329b2
                                                                                                          • Opcode Fuzzy Hash: dce6c19d9f76fbc564adc6c4fdd75f4b12b142fce91924412d2347b1f9b234e3
                                                                                                          • Instruction Fuzzy Hash: 49125A70A002199FDB24DF69C894AAEBBF6BF88304F158569E916DF391DB30DC41CB90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D2618, Relevance: .5, Instructions: 464COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4b96d987eaabf517c264fca2da7e7062664985c231dfe98a7c0c4ca1ffc1dce1
                                                                                                          • Instruction ID: 95e23269b0d864984a2cafc3379a7e1a25a906a5dc381e6eccc4ab063c509e0c
                                                                                                          • Opcode Fuzzy Hash: 4b96d987eaabf517c264fca2da7e7062664985c231dfe98a7c0c4ca1ffc1dce1
                                                                                                          • Instruction Fuzzy Hash: 30124931A00209DFDB25CFACC984AADBBB6FF88314F158069E915AF261D771DC81CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DDAF0, Relevance: .2, Instructions: 242COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 53382c82463a17d1882347b073e49cc13e0c0697fd971d82494389a1923ca4f8
                                                                                                          • Instruction ID: 42679c65cd2b827604076aa553c68502e0b4f1e6b13119d7a1dd64802606f7d1
                                                                                                          • Opcode Fuzzy Hash: 53382c82463a17d1882347b073e49cc13e0c0697fd971d82494389a1923ca4f8
                                                                                                          • Instruction Fuzzy Hash: 43919371E002598BDF25CFEDC4406AEBBF2BF86314F24862AD815AF282D770A945CB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0173A980, Relevance: 1.7, APIs: 1, Instructions: 206libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596797298.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: InitializeThunk
                                                                                                          • String ID:
                                                                                                          • API String ID: 2994545307-0
                                                                                                          • Opcode ID: 83634efd691b474d3be9f93f160f92f4c5fb6efdd689b05b3f2b61a55e1e0256
                                                                                                          • Instruction ID: a8d5875cb61134c0fece9acc6b1fd56781c065dcd557952970d7a2c0f40c9829
                                                                                                          • Opcode Fuzzy Hash: 83634efd691b474d3be9f93f160f92f4c5fb6efdd689b05b3f2b61a55e1e0256
                                                                                                          • Instruction Fuzzy Hash: 3371C171A002059FCB15DFB8C848AEEBBF5BF89314F148569E545EF352EB359804CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0173D408, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596797298.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: InitializeThunk
                                                                                                          • String ID:
                                                                                                          • API String ID: 2994545307-0
                                                                                                          • Opcode ID: 10f710657dc2ef3a12ed387b7e860e5c96a7ca4a1fe3ff8abd6260f3c379c07c
                                                                                                          • Instruction ID: 38de0c23755aeaff437ccb6a0ac14199c332a6567104473358f231ec7e94dc05
                                                                                                          • Opcode Fuzzy Hash: 10f710657dc2ef3a12ed387b7e860e5c96a7ca4a1fe3ff8abd6260f3c379c07c
                                                                                                          • Instruction Fuzzy Hash: A2619070A00209DBDB24EFF8D4586AEBBF2BF84304F508828E516AB395DF359905CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0173A9E0, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596797298.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: InitializeThunk
                                                                                                          • String ID:
                                                                                                          • API String ID: 2994545307-0
                                                                                                          • Opcode ID: 4cea7908d79c3008275dd400ecc3ab6786576b29925f288f44ee07b4fbf28596
                                                                                                          • Instruction ID: 75dbf5762fc929eff00c517f6975965ae05edceaa1242f6cb9ececa30fb45bd2
                                                                                                          • Opcode Fuzzy Hash: 4cea7908d79c3008275dd400ecc3ab6786576b29925f288f44ee07b4fbf28596
                                                                                                          • Instruction Fuzzy Hash: FB519F71B502069BCB14EBB4C844AAEB7F6BF88204B14896DD506DF385EF71D9048BA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0172EB68, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596686945.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6946c34a6c6d881b11d4b0ad50b9990c0d655b26dc69c3701b9f04fb68246f44
                                                                                                          • Instruction ID: 7bbfd0e22963c1ab1b692b0e995bef0f3f9e95f8a727182713020cf27ca459d7
                                                                                                          • Opcode Fuzzy Hash: 6946c34a6c6d881b11d4b0ad50b9990c0d655b26dc69c3701b9f04fb68246f44
                                                                                                          • Instruction Fuzzy Hash: A1415472E047598FCB14CFA9C4046EEFBF5FF89214F05856AD508AB250EB749886CBD0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0172B7D0, Relevance: 1.6, APIs: 1, Instructions: 116registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0172B8E4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596686945.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 71445658-0
                                                                                                          • Opcode ID: 366bf6243e79937e7c6e44af587cb568e5a9b6ceacc637b7a27c67059367cb91
                                                                                                          • Instruction ID: def8f032a784b401fe4d13d465788e1b9045e1e5b29d5096653011d3db3495cd
                                                                                                          • Opcode Fuzzy Hash: 366bf6243e79937e7c6e44af587cb568e5a9b6ceacc637b7a27c67059367cb91
                                                                                                          • Instruction Fuzzy Hash: 884146B0E05349DFDB10CF99C484A9EFBF5BF49314F29816AE408AB341D7759846CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0172BA8D, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0172BB51
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596686945.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 376b834d16ed1f2847f0ef9524f425d483add30d85a08e04d626ca5a27d2d4bb
                                                                                                          • Instruction ID: 970e322ca63fed1499f5c462d6ee94c5cd9a61170ade890378edec6fde7c1c4b
                                                                                                          • Opcode Fuzzy Hash: 376b834d16ed1f2847f0ef9524f425d483add30d85a08e04d626ca5a27d2d4bb
                                                                                                          • Instruction Fuzzy Hash: 8231EFB1D012589FDB20CF9AD884ADEFBF5BF48310F15802AE819AB314D7709945CFA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0172A0F0, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0172BB51
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596686945.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 4028e7faa108202cbee302939a10e0f5481cbf116d4215e84c481215538931b7
                                                                                                          • Instruction ID: b3482fbf5a83a82a4b8f4208466bcd01424675c0697fa5f1d71bc5dee47d4b5f
                                                                                                          • Opcode Fuzzy Hash: 4028e7faa108202cbee302939a10e0f5481cbf116d4215e84c481215538931b7
                                                                                                          • Instruction Fuzzy Hash: 1131D2B1D002589FCB20CF9AC984A9EFBF5BF48310F15806AE819AB314D7709945CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0173D3A8, Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596797298.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: InitializeThunk
                                                                                                          • String ID:
                                                                                                          • API String ID: 2994545307-0
                                                                                                          • Opcode ID: 4845d9c6e439988553713f2cc9d40a97aaaba5b8c2cc642bf1d97369d680cfb8
                                                                                                          • Instruction ID: 0c201961628e0a3ee7b98b0c0788706ea0d870d90a685f0f511f5df9e894db2b
                                                                                                          • Opcode Fuzzy Hash: 4845d9c6e439988553713f2cc9d40a97aaaba5b8c2cc642bf1d97369d680cfb8
                                                                                                          • Instruction Fuzzy Hash: 3331AA30A01248DFC725DBA9D848AAEBBB5BB8A304F5084A9E0059B292DB35DC45CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0172A0E4, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0172B8E4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596686945.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 71445658-0
                                                                                                          • Opcode ID: 4139b5f5d3d59a8426d3c47b4df1c25e84af1ca10eeb832879b3198d03729c4a
                                                                                                          • Instruction ID: d2b2f25b1a9e4d39cf8fa9ff279aa203a408b12b1bcac2c8179891f87e6aa1a5
                                                                                                          • Opcode Fuzzy Hash: 4139b5f5d3d59a8426d3c47b4df1c25e84af1ca10eeb832879b3198d03729c4a
                                                                                                          • Instruction Fuzzy Hash: 9C31F2B1D05259CFDB10CF99C584A8EFFF5BF48304F25816AE909AB301C7B5A985CBA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0172D6C8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0172EBBA), ref: 0172ECA7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.596686945.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                          • String ID:
                                                                                                          • API String ID: 1890195054-0
                                                                                                          • Opcode ID: 93c1e646f9e534b4de618e04179d9c54c9e64d6ff83485adde0637cf665877c3
                                                                                                          • Instruction ID: cc2227003dd95bbc3bba57602c3e77828a26d585688e25d8b28f83dbce928ce4
                                                                                                          • Opcode Fuzzy Hash: 93c1e646f9e534b4de618e04179d9c54c9e64d6ff83485adde0637cf665877c3
                                                                                                          • Instruction Fuzzy Hash: 911133B1C046699BCB10CF9AC5447DEFBF4BF48224F05856AE818A7240D778A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DC000, Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: P@,l
                                                                                                          • API String ID: 0-3890617251
                                                                                                          • Opcode ID: 8c8f2291bd594f850ac921fbdbe620573a6d696394cd08a13c7303a5edd46fcf
                                                                                                          • Instruction ID: 831371e2d54bba7aa18d91485cb84bd2f389e61736680df849a22959b1f6f3c6
                                                                                                          • Opcode Fuzzy Hash: 8c8f2291bd594f850ac921fbdbe620573a6d696394cd08a13c7303a5edd46fcf
                                                                                                          • Instruction Fuzzy Hash: 0531BE31B001059FDB64ABB9D8186AFBBF2BF89204B14846CD402DF795EF319D46CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DC010, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: P@,l
                                                                                                          • API String ID: 0-3890617251
                                                                                                          • Opcode ID: ab2bb24eec2328fcf3a6f44e8800d7ef4d674e99bc1ea4065d1ea313a4cfb20d
                                                                                                          • Instruction ID: db59acdd44a623390201d821a48b9fc21b2e9ff79d19e684f4a1a33e7ea5ef39
                                                                                                          • Opcode Fuzzy Hash: ab2bb24eec2328fcf3a6f44e8800d7ef4d674e99bc1ea4065d1ea313a4cfb20d
                                                                                                          • Instruction Fuzzy Hash: 7431AB31B001058FDB64ABB9D8186AFBAF2BF88204B10846DD806DF794EF31DD05CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D3E28, Relevance: .8, Instructions: 795COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cf7d40e2bbaac9e8ab28e91725eb44bbc9aa050185bc8cdb2eb020459e409eb6
                                                                                                          • Instruction ID: 184285e5e7878a2c7b35cbe67aa638db6a7809bad16168b6322f6c3ffa850542
                                                                                                          • Opcode Fuzzy Hash: cf7d40e2bbaac9e8ab28e91725eb44bbc9aa050185bc8cdb2eb020459e409eb6
                                                                                                          • Instruction Fuzzy Hash: B3624F34A042198FEB64DBA4C850BEEBBB6FF85304F2084A9D50AAF790DB359D41DF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DA770, Relevance: .7, Instructions: 658COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4fa38ceda88dc5dffec8375327e2888bc175a26cec86d7ce5eed72aa9b10e042
                                                                                                          • Instruction ID: aa0672fe20898f679c663ec15860962df3eb840684eacafb007331784c97fa5e
                                                                                                          • Opcode Fuzzy Hash: 4fa38ceda88dc5dffec8375327e2888bc175a26cec86d7ce5eed72aa9b10e042
                                                                                                          • Instruction Fuzzy Hash: 39327934B002058FCB64DB7CD888AAEBBF2BF89214B1584A9E506DF3A5DB35DC45CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DB4A0, Relevance: .5, Instructions: 491COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d9c65046f55f79f6386e1ef93e33c6ac141d319675d3b01a2ab9036ff84d1264
                                                                                                          • Instruction ID: 0b890647889e86bd79eeda81eda545e08c1ad7c6c9a62cd0df01903873916745
                                                                                                          • Opcode Fuzzy Hash: d9c65046f55f79f6386e1ef93e33c6ac141d319675d3b01a2ab9036ff84d1264
                                                                                                          • Instruction Fuzzy Hash: A1124B74E012058FDB20DBACD8946ADBBB2FB8A304F158965D404EF791EB349D45CF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DBB71, Relevance: .4, Instructions: 413COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 769fc161bf58835b0304d00c3b1cb13ddd952a556637f66d74963bca63989377
                                                                                                          • Instruction ID: 2b9de8297346ebf039f614a9f057e1199f548601e3e155aeda67a0915b330ebb
                                                                                                          • Opcode Fuzzy Hash: 769fc161bf58835b0304d00c3b1cb13ddd952a556637f66d74963bca63989377
                                                                                                          • Instruction Fuzzy Hash: 83E1A3307093858FD7668779D8556EA3BF6AF86314F1A80F6E144CF293E678CC058B62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DB3F0, Relevance: .4, Instructions: 366COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a7643cc303f8c38eb4d90e58878d33113e1b18e76349f23395f053f8d6caca53
                                                                                                          • Instruction ID: 80b193d4a3ada39bf915d643e49eeb6a4c37222e706e8e8bc8737303a53cddc2
                                                                                                          • Opcode Fuzzy Hash: a7643cc303f8c38eb4d90e58878d33113e1b18e76349f23395f053f8d6caca53
                                                                                                          • Instruction Fuzzy Hash: 88D15A74E012058FEB31CA6CC4847ADB7B2FB86314F668566E405DF392EB35DC858B52
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DF750, Relevance: .4, Instructions: 353COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0745741d45f4246d1dc83391d8258cc1bc0b40ab71ae0a6d849ca6edda1a2a2d
                                                                                                          • Instruction ID: 40b4a60b822b2214833609e606f1f987e0d91ad989b4dc3d24903aabbb222181
                                                                                                          • Opcode Fuzzy Hash: 0745741d45f4246d1dc83391d8258cc1bc0b40ab71ae0a6d849ca6edda1a2a2d
                                                                                                          • Instruction Fuzzy Hash: 6FD18174A006049FCB24DF69C4849AEBBF5FF89314B25856AE50ACF765DB31EC42CB90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D16C8, Relevance: .3, Instructions: 346COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bbfb8050f62867c3e9ce7099fbc9c115db5ec9254966563d01ab0b354c5626d8
                                                                                                          • Instruction ID: 82527689e41fbe055054d7aa4c35f4b749c3d46f69cc4dbb4de7e801d95f21d5
                                                                                                          • Opcode Fuzzy Hash: bbfb8050f62867c3e9ce7099fbc9c115db5ec9254966563d01ab0b354c5626d8
                                                                                                          • Instruction Fuzzy Hash: 9EC10E343046058FDB26AB68C8D4B6E7BE6BFC9205F158469EA06CF395DB34CC42CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D4C78, Relevance: .3, Instructions: 319COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8c70983388a3ef932faabf45364129f4bdf886875493c724bc3005e3855456e3
                                                                                                          • Instruction ID: 5de4eadfff36afceee84b36e7d7ed1e28bc27e937f7e5380f131345cc018cf39
                                                                                                          • Opcode Fuzzy Hash: 8c70983388a3ef932faabf45364129f4bdf886875493c724bc3005e3855456e3
                                                                                                          • Instruction Fuzzy Hash: B3D1F475A002158FCB25CF6DD5889ADBBF6BF88310B1A84A9E519AB371DB30EC41CB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DAFE8, Relevance: .3, Instructions: 316COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f099207b9292f8bc78774b66d2a04578f0c397aef32d1ebadab5d971b8406092
                                                                                                          • Instruction ID: 41cee731038554b233683b52a878ab2c4e10fd9993d4e3f245646b60a725ba60
                                                                                                          • Opcode Fuzzy Hash: f099207b9292f8bc78774b66d2a04578f0c397aef32d1ebadab5d971b8406092
                                                                                                          • Instruction Fuzzy Hash: D1B19D30A002058BDB75DBBCC4947AEBBB6FB8A314F16896AD505DF781DB34DC818B91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D4B58, Relevance: .3, Instructions: 307COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9f5e959659a72e4e5eab575d9c1c76970a5fc61700c879064e11dfefc46be068
                                                                                                          • Instruction ID: 98889d67a05c3771f341c4402dbba7fb35968e555412b72efb0014c63aa23620
                                                                                                          • Opcode Fuzzy Hash: 9f5e959659a72e4e5eab575d9c1c76970a5fc61700c879064e11dfefc46be068
                                                                                                          • Instruction Fuzzy Hash: 9BD1F771A001198FCB24CFADD98899DBBF6FF88314B1A8599E519AB771DB30EC41CB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DEBC8, Relevance: .3, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6d7054ceef39fa9021cc90368a246485e613ea7c6ce222c8745fcc0fdd28debe
                                                                                                          • Instruction ID: 87abe97f3edb1b8f18a1604a2134464e64f2fbd1c4521620b82d7c7efda9fedc
                                                                                                          • Opcode Fuzzy Hash: 6d7054ceef39fa9021cc90368a246485e613ea7c6ce222c8745fcc0fdd28debe
                                                                                                          • Instruction Fuzzy Hash: E1A1CE30A002459FD7249B78C859BAE7AE6FFC5308F19C4AAD0069F3A2DB75DC45CB52
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D1AC0, Relevance: .2, Instructions: 243COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 38e0ee153e23eb9fbfcc1379c44c8a1d09414c4a67b1674979c7028abbd3920a
                                                                                                          • Instruction ID: 2c7e5a8cb7741106559ced0a25a3b30877fd1b28a92e3dd83b69c22df734e0f4
                                                                                                          • Opcode Fuzzy Hash: 38e0ee153e23eb9fbfcc1379c44c8a1d09414c4a67b1674979c7028abbd3920a
                                                                                                          • Instruction Fuzzy Hash: 2391BE34B00A068FDB24DFACC4C49AEBBB6FF89244B15856AD506DF361D731E841CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D5280, Relevance: .2, Instructions: 228COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5b588d3177f534549d689285be45f7a4c6f19bd8beef2ade8b4e55fcc6cc58b1
                                                                                                          • Instruction ID: 089842d5f7d87832ddf16d116b76931a8ddf37b82f7dfec1b2670c83032fab45
                                                                                                          • Opcode Fuzzy Hash: 5b588d3177f534549d689285be45f7a4c6f19bd8beef2ade8b4e55fcc6cc58b1
                                                                                                          • Instruction Fuzzy Hash: 1B918231A102199FCB25CF6DC884AAEBBB5FF44311F168469E9159F362EB70EC41CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DD830, Relevance: .2, Instructions: 212COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bfe4f52521d58c95f25b4502b9d52172c880eb21ae712222d893328c5ca23584
                                                                                                          • Instruction ID: 3a52d85363618fe411ff6e6b2ab0059d19f8a6831e9de2c5c24b4d0b3277ad3f
                                                                                                          • Opcode Fuzzy Hash: bfe4f52521d58c95f25b4502b9d52172c880eb21ae712222d893328c5ca23584
                                                                                                          • Instruction Fuzzy Hash: D771DF30A042058BDB258BADC5447ADBBB7BF85318F24C1AAD5099F3D6E7B28C45C792
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DEBB8, Relevance: .2, Instructions: 199COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7e610d06dd21db0d80391790434d3a37414407aba76a30b014f95bd55e88f5df
                                                                                                          • Instruction ID: c3343a7032c36c2fc960ecd68ddaff48d166704b54f1a068f62cc2fa9095bbdf
                                                                                                          • Opcode Fuzzy Hash: 7e610d06dd21db0d80391790434d3a37414407aba76a30b014f95bd55e88f5df
                                                                                                          • Instruction Fuzzy Hash: 46619A30B002059FD764AB78C859BAEBAE2FFC5208F198469D10A9F390DE75EC458792
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DD730, Relevance: .2, Instructions: 194COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ab8cbfa8ac0ec59b3b1ac52b37a7670e9fffaf18f225f4a6cbe74f3d58166658
                                                                                                          • Instruction ID: 899b8f6f50d2b41c344dc314c6e1a21b5639789ecd92d92778f5868a816073d9
                                                                                                          • Opcode Fuzzy Hash: ab8cbfa8ac0ec59b3b1ac52b37a7670e9fffaf18f225f4a6cbe74f3d58166658
                                                                                                          • Instruction Fuzzy Hash: DB61D7307093818FD72287AC84447AD7FB6AB82314F1980EAD048CF6D7E67ACC46C762
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D3AC8, Relevance: .2, Instructions: 187COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0eb4800846d7dbe50b5ff9e65a67c05abf9dc4d8c17589e01f5d0c74333a9959
                                                                                                          • Instruction ID: 62ffda4e76430e6568916f88c74db1135abb23f57c2d405b182f973494909200
                                                                                                          • Opcode Fuzzy Hash: 0eb4800846d7dbe50b5ff9e65a67c05abf9dc4d8c17589e01f5d0c74333a9959
                                                                                                          • Instruction Fuzzy Hash: EF51BF713141159FEB60DF3EC884A6ABBE9FF4965071944AAE506CF362DB31DC04CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DAFD8, Relevance: .2, Instructions: 182COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0497fe007b81dcecc1ce2fad470f016791eb7cfa917e281c1deba6abcde88f30
                                                                                                          • Instruction ID: 803e22f57e156f6ec6bb914b7eae75e9ec304dfa6b68964bfbd974f72f06e41a
                                                                                                          • Opcode Fuzzy Hash: 0497fe007b81dcecc1ce2fad470f016791eb7cfa917e281c1deba6abcde88f30
                                                                                                          • Instruction Fuzzy Hash: 7E517D30A001058BDF35CAACC4847AEB7B7FB8A314F664929D509EF742DB35DD818BA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DAD10, Relevance: .2, Instructions: 173COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 451f62a8d6cebda1936cbd54d9bdba7e70c60ee780a9d880fb8b759d7e60421f
                                                                                                          • Instruction ID: 7b8f0b18ef6c2758ac17b6d826aa6081f2d13f47281fe3617de78ecb2e5e8dcb
                                                                                                          • Opcode Fuzzy Hash: 451f62a8d6cebda1936cbd54d9bdba7e70c60ee780a9d880fb8b759d7e60421f
                                                                                                          • Instruction Fuzzy Hash: AD6112747501058FCB94EF28D88895EBBF2BF89614B1184A8E606CF3A6EB71ED05CB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D54F0, Relevance: .1, Instructions: 125COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 854eabb6cedfcdb0338beab4c75f3c8cdc1cc8741d3633fe4c4ceafc60460e4b
                                                                                                          • Instruction ID: 08641efeab085dc2ea4144e307c746b3f7b1a4c34d4fe08f20871b19c001ee19
                                                                                                          • Opcode Fuzzy Hash: 854eabb6cedfcdb0338beab4c75f3c8cdc1cc8741d3633fe4c4ceafc60460e4b
                                                                                                          • Instruction Fuzzy Hash: 8741D3313042558FCB26DF29D894A6E3BFAFF89215F4440A9E509CF2A2EB35DC02CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D5270, Relevance: .1, Instructions: 123COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: aff54c9877323d93e012fe0a6931669ecd26478440825a36f038ce1e7feffb5e
                                                                                                          • Instruction ID: ce10319db954231552f42d3538d8657b689ad69446f1458475d641c42e596103
                                                                                                          • Opcode Fuzzy Hash: aff54c9877323d93e012fe0a6931669ecd26478440825a36f038ce1e7feffb5e
                                                                                                          • Instruction Fuzzy Hash: 58513B31A10219CFCB25CF5CC584A5DBBB1BF45310F1A84A9E9599F3A2EBB0EC40CB90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D38D8, Relevance: .1, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 89d6d62233e3c0c29d3a4f056c604b335ca301e7dbc10ca03c27a85d9015ca34
                                                                                                          • Instruction ID: ff1be3791ce38d204c108b80d8d10ceaa226c08b04a99015df4b14cc164e1729
                                                                                                          • Opcode Fuzzy Hash: 89d6d62233e3c0c29d3a4f056c604b335ca301e7dbc10ca03c27a85d9015ca34
                                                                                                          • Instruction Fuzzy Hash: 14413AB47001159FDB65DF2DD888AAE7BB6FF88314F100469EA168B3A1C771DD40CB92
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D1D6F, Relevance: .1, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c2b81bddb9fcd165e9be2c9fb72b4028b844073056d4fc3b8e2c8531154c6d44
                                                                                                          • Instruction ID: b273325492f15fdc25f02326d97f67866e161cdb95768ce15aa5c1b4c65dce3a
                                                                                                          • Opcode Fuzzy Hash: c2b81bddb9fcd165e9be2c9fb72b4028b844073056d4fc3b8e2c8531154c6d44
                                                                                                          • Instruction Fuzzy Hash: 6E3159717052444FC721ABBDAC904AA7BFAEFC62587094566E604CF3A2EF31DC0183A1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DFB35, Relevance: .1, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c047e2c9e65c1108d9670e2db3f6339c0f1ba852d8b23cae96215c48b8bfc16b
                                                                                                          • Instruction ID: 76d4e4d076c3e66a3dff185bb88dc43339a37c735f8660bf0f47593cd64dad19
                                                                                                          • Opcode Fuzzy Hash: c047e2c9e65c1108d9670e2db3f6339c0f1ba852d8b23cae96215c48b8bfc16b
                                                                                                          • Instruction Fuzzy Hash: 10419239B501049FCB54DF69C998E5ABBF6EF88715B268098E906DB771DB31EC02CB40
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D3D08, Relevance: .1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e117c8e6b1d7fa24bef5c55c63073865c033d54e6da5c8fad0ccdd8d5b4f4ba2
                                                                                                          • Instruction ID: 2c0a60f5eef43b74fec0ae64480ac79bcd5b5ac56a24ca028014140480bc775f
                                                                                                          • Opcode Fuzzy Hash: e117c8e6b1d7fa24bef5c55c63073865c033d54e6da5c8fad0ccdd8d5b4f4ba2
                                                                                                          • Instruction Fuzzy Hash: 4621F1713052058FDB76733D98945BE7AABBFC1558718407AE602CF7A2EB24CC419BA3
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D3D18, Relevance: .1, Instructions: 87COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 98ea3f9842ce766cd9a1a1447db6fb65f214600ede31fa9e8e54e2392a3d5e3f
                                                                                                          • Instruction ID: d1ef748fbf0af7cafbbf10b9d653bb259890861ac0a6c91039b45fee1095de65
                                                                                                          • Opcode Fuzzy Hash: 98ea3f9842ce766cd9a1a1447db6fb65f214600ede31fa9e8e54e2392a3d5e3f
                                                                                                          • Instruction Fuzzy Hash: 4F2103713002044BDB75762D989467E7A9BFFC0658F24407AD602CF7D5EB25CC829792
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D14F0, Relevance: .1, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: aea53e51a0449d8e51664044d28b6968af79c99a100ff031bfe018e43553407f
                                                                                                          • Instruction ID: b0f155d91b124f333b09ea932b0a9c1c96e76ee6deff686f7d99da91770aee99
                                                                                                          • Opcode Fuzzy Hash: aea53e51a0449d8e51664044d28b6968af79c99a100ff031bfe018e43553407f
                                                                                                          • Instruction Fuzzy Hash: 3431503120050A9FCF269F6DD894AAE3BB6FF88310F444029FA16CB251DB39CD619F90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D3C10, Relevance: .1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5100635c9a410663ec95cfedf4ba8836c6245d5b9fcf205a492582d5a2f2da22
                                                                                                          • Instruction ID: b2f367aefabb8b60f4140a75ece54acdb4ace18f51ed5b98d1bb8dada04e473b
                                                                                                          • Opcode Fuzzy Hash: 5100635c9a410663ec95cfedf4ba8836c6245d5b9fcf205a492582d5a2f2da22
                                                                                                          • Instruction Fuzzy Hash: AE21A1B17042559BEB60CF6FD880A6B7BEAFF49641F054426E912CF260DB35CD04C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DA720, Relevance: .1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 41327857c6908dd601ce1f941843a2f87c1f7255b970a1073a776bf58d6ec83c
                                                                                                          • Instruction ID: 064cf50e354e8e2f38ee27137fc7b68dff3fd9139912ebe4abe0bfb7a0965142
                                                                                                          • Opcode Fuzzy Hash: 41327857c6908dd601ce1f941843a2f87c1f7255b970a1073a776bf58d6ec83c
                                                                                                          • Instruction Fuzzy Hash: 7931BF30A002098FCB65CBA9D9859EEBBF6FB88310F25806AD508DB301E730DC41CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DD649, Relevance: .1, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4837fb50cbe58067b0d69cca377bca04750e97cf63527756f219fe104b0ecee1
                                                                                                          • Instruction ID: 46046440f1ae73e3d9acc75b915db81ffac39f3607d480a35186ab3487bacf58
                                                                                                          • Opcode Fuzzy Hash: 4837fb50cbe58067b0d69cca377bca04750e97cf63527756f219fe104b0ecee1
                                                                                                          • Instruction Fuzzy Hash: 9921C830A012425FC7A1A77D88096EF3BF5EFD5350B0640B5D409DF251FA348C068BE6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 018ED01C, Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.597231553.00000000018ED000.00000040.00000001.sdmp, Offset: 018ED000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2f7f3545a0f6bff80fce4e8167434e61636a38ae5b9270e7b7e93d488d188437
                                                                                                          • Instruction ID: 87f44793d197519073ff6dabd1b276f39c49cc907aea89f803903267c450c295
                                                                                                          • Opcode Fuzzy Hash: 2f7f3545a0f6bff80fce4e8167434e61636a38ae5b9270e7b7e93d488d188437
                                                                                                          • Instruction Fuzzy Hash: 47213771504244DFCB11CF54D9C8B16BFA5FB89358F28CA69D8098B346C33AD94BCA61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D19E0, Relevance: .1, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 77cfd1535e1f844fa4bf0c42f74dd4b00bac8d380f268be4b0d8644886a6928f
                                                                                                          • Instruction ID: 71f5047c7ad5f500ba4e8094965df5035f4bbc1318a97d3a8541e6b31907738e
                                                                                                          • Opcode Fuzzy Hash: 77cfd1535e1f844fa4bf0c42f74dd4b00bac8d380f268be4b0d8644886a6928f
                                                                                                          • Instruction Fuzzy Hash: BA110431305A119FD3269B2DC89087E7BEAFFC9251B0801A9EA06CF351CB20CC4287D0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DF0D1, Relevance: .1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9f75f27724b7c43183ba641d331bca7930549d9d1aa9951bb0fd3c7fff6b2983
                                                                                                          • Instruction ID: 88cc7c0d74cecf76d125b78abf5277e0ed4598750c0f7c6c4b86c727765200c7
                                                                                                          • Opcode Fuzzy Hash: 9f75f27724b7c43183ba641d331bca7930549d9d1aa9951bb0fd3c7fff6b2983
                                                                                                          • Instruction Fuzzy Hash: F8215C30E012489FDB15CFB9E954AEEBFB6FF89304F14802AE511EA250DB359946DB60
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 018ED006, Relevance: .1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.597231553.00000000018ED000.00000040.00000001.sdmp, Offset: 018ED000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 74bbd39b7c343484b0a40a720c95796bfb1aa54bd1b1b1bf18b330ab98d8ac86
                                                                                                          • Instruction ID: ed6697d5909675178311f15ff7c1aa893444ed48332a153019bd961a52030444
                                                                                                          • Opcode Fuzzy Hash: 74bbd39b7c343484b0a40a720c95796bfb1aa54bd1b1b1bf18b330ab98d8ac86
                                                                                                          • Instruction Fuzzy Hash: B92153755083809FCB02CF54D994715BFB1EB46314F28C6EAD8458F257C33A995ACB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D5448, Relevance: .1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f2d354029433888d0fb53bc30edba1059493d6e33ab8387cff8c57ca5484c871
                                                                                                          • Instruction ID: edba3bf3711be5e97c54e39b03ada20c9feaab34e1a419d1e24e3b99da4b5660
                                                                                                          • Opcode Fuzzy Hash: f2d354029433888d0fb53bc30edba1059493d6e33ab8387cff8c57ca5484c871
                                                                                                          • Instruction Fuzzy Hash: FC116D70E0121A9FCB11DFA9C844AAFBBF9FF88311F10442AE615E7251E7748941CBE1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D1627, Relevance: .1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7a63260a5b6767b527986e49f8a22ff452e10fa4f35d1d399a8ddd6ef2d0ad66
                                                                                                          • Instruction ID: 62fdd8fc5bcd744d7cf3bc59a331142b81b2bae6004736185416ccc4fec80245
                                                                                                          • Opcode Fuzzy Hash: 7a63260a5b6767b527986e49f8a22ff452e10fa4f35d1d399a8ddd6ef2d0ad66
                                                                                                          • Instruction Fuzzy Hash: 7701C0326001296FDB129E699890AAF3BEAEBC9650B18405AF705CB290DA71C81187A1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DBF40, Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d13c1c07c2ad7c4ba398e72774761d27bcbd26131d9fd1ade8f2c75274ccef1c
                                                                                                          • Instruction ID: 9df6f904a0536cf2e85147c4e5e0f0c89f4671feff5588ab65410466b03cd8d2
                                                                                                          • Opcode Fuzzy Hash: d13c1c07c2ad7c4ba398e72774761d27bcbd26131d9fd1ade8f2c75274ccef1c
                                                                                                          • Instruction Fuzzy Hash: 96113C34B012158F8B90EF7DD8489AEBBF6FB8C2117118469E51ADB344EB349D058F94
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DD6A8, Relevance: .0, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8fb9ab8b2f12f8db38b81c273eab9ffdad7715005c0e12fad61f7eb054c8b90f
                                                                                                          • Instruction ID: d931446a19c85892311b28f02e0ed869cba3a5e572c4f5be064d3108c2173619
                                                                                                          • Opcode Fuzzy Hash: 8fb9ab8b2f12f8db38b81c273eab9ffdad7715005c0e12fad61f7eb054c8b90f
                                                                                                          • Instruction Fuzzy Hash: C4F01275F002155F8B60ABBD541469F7AF9AFC82A0B110575D50AD7344FA348E018BD1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015DBFA1, Relevance: .0, Instructions: 25COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4e19138a4dc33fa182ff9d3467b734d48674400c75cfe5d59aeb4416a33b930c
                                                                                                          • Instruction ID: 38a7beccf8efb0028633fd8caec5e1fab83cb575aedaef96e01dc7d88daa56b9
                                                                                                          • Opcode Fuzzy Hash: 4e19138a4dc33fa182ff9d3467b734d48674400c75cfe5d59aeb4416a33b930c
                                                                                                          • Instruction Fuzzy Hash: 83E0C935B011158B8F15EBBCE4484DDB3F2FBCC22570140A5E91AE7394EE349C058BA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D4A5D, Relevance: .0, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9cdd90f32bd9ad741c72a52cee31a0cf507c51ac149464fa3895f2adebc8928f
                                                                                                          • Instruction ID: 1712b3dc6c01ab88d8acb72e09b55f261bbac89fce385277e08f261fac074a20
                                                                                                          • Opcode Fuzzy Hash: 9cdd90f32bd9ad741c72a52cee31a0cf507c51ac149464fa3895f2adebc8928f
                                                                                                          • Instruction Fuzzy Hash: F1D0673AB10008DF8B159F98EC409DDB776FB98265B448156EA15A7260C7319925DB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D1D80, Relevance: .0, Instructions: 12COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 32eca8c796478fc92d09d1fa9bcf0776a9f91aa738171feace56c8032ccd814b
                                                                                                          • Instruction ID: 9abda63e77455f9a205724afc47002e4ac647ecf6a828e73e7fb7a16e01801c1
                                                                                                          • Opcode Fuzzy Hash: 32eca8c796478fc92d09d1fa9bcf0776a9f91aa738171feace56c8032ccd814b
                                                                                                          • Instruction Fuzzy Hash: 3CC0123119824E46C590BFB5E881479336EA7C1708740C921A3044D66AAF756D054795
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015D5721, Relevance: .0, Instructions: 11COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.595653854.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 61dfb0f553bb4f57dd1757f1e196c9524559785397e3d50f1d7d663fc618703a
                                                                                                          • Instruction ID: 3815ee0d31ae02b172f2ec7157dabb45e508a583fef73e1369c2df05885ffb7d
                                                                                                          • Opcode Fuzzy Hash: 61dfb0f553bb4f57dd1757f1e196c9524559785397e3d50f1d7d663fc618703a
                                                                                                          • Instruction Fuzzy Hash: 0AC04C36F15118DB5B10DAC8E5410DCB3B9FB8857AB208057D51996600A7365B268B96
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Analysis Process: Drivers.exe PID: 5988 Parent PID: 3440 Drivers.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 00B96F80, Relevance: 3.4, Instructions: 3426COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f44a25179ff386a8f6148da65a5a6c67909a316ee2337d6c61b19de92d191b6c
                                                                                                          • Instruction ID: 93cff1a092e53b657d09b103ad4e2484fe9d6909479d65d9ec00858645975cc2
                                                                                                          • Opcode Fuzzy Hash: f44a25179ff386a8f6148da65a5a6c67909a316ee2337d6c61b19de92d191b6c
                                                                                                          • Instruction Fuzzy Hash: 6A73D574A002198FCB64DF68C888A9DB7F2FF49314F1585A9D909AB361DB34ED81CF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B958D8, Relevance: .3, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 93631ee609984825949ee7a3891818378239624dadc0fd4fc862b1bea248e6d4
                                                                                                          • Instruction ID: 65497287d2cb956c4b1cce68313294271b3354eb49cc58489e8384856396fa24
                                                                                                          • Opcode Fuzzy Hash: 93631ee609984825949ee7a3891818378239624dadc0fd4fc862b1bea248e6d4
                                                                                                          • Instruction Fuzzy Hash: 2881BD34B042188FDF19AF7498946BE7AB7AFC8314F15896ED506EB384EF349C029791
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B9B119, Relevance: .4, Instructions: 350COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a9f46a55541a40bf12da4a7565a42937cb4bd5350a94487b93cb62f389a67be8
                                                                                                          • Instruction ID: 37ccdb2d1f15f515d719c34463fa7c8184b631acbc5a26adf7a1c2fe624b23b6
                                                                                                          • Opcode Fuzzy Hash: a9f46a55541a40bf12da4a7565a42937cb4bd5350a94487b93cb62f389a67be8
                                                                                                          • Instruction Fuzzy Hash: 37121975900219CFCB64EF64EA44B9DBBB1FB5A300F0085AAD50AA7364EFB51D45CF60
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B9B128, Relevance: .3, Instructions: 349COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 90492d1bb4e1fccb7bb8cde43c197cca3ae4f08dddadce3a8d72cbc1391f383c
                                                                                                          • Instruction ID: bd5b1aaffb15bc62bc0591877d6617a46874f9d476cb3c34f94d8bfafb2b857f
                                                                                                          • Opcode Fuzzy Hash: 90492d1bb4e1fccb7bb8cde43c197cca3ae4f08dddadce3a8d72cbc1391f383c
                                                                                                          • Instruction Fuzzy Hash: C3021A75900219CFCB64EF64EA44B9DBBB1FB5A300F0085AAD50AA7364EFB51D45CF60
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B96930, Relevance: .3, Instructions: 325COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: df7bb7fc6c07b52b7f0a9733048c5c351f4ae92f6107e0755a784c65736894b1
                                                                                                          • Instruction ID: 051444d8d1f1a61a4bd9898824e9dfb98a4ce3178dbce01c2b9faf4c81b61d87
                                                                                                          • Opcode Fuzzy Hash: df7bb7fc6c07b52b7f0a9733048c5c351f4ae92f6107e0755a784c65736894b1
                                                                                                          • Instruction Fuzzy Hash: 03C13930B001199FCF149F68D955AAE7BF6EF88754F1580B9E906EB7A0DB34DC018BA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95C50, Relevance: .2, Instructions: 181COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5031ce80708d5126d9df5bcaea62ea6737abb65b1e938b7abb081aa2686c8048
                                                                                                          • Instruction ID: 0f09f33b93198d8e0d69fa66db6510e4bb1e7d62b7d43337c7c18faa9880b605
                                                                                                          • Opcode Fuzzy Hash: 5031ce80708d5126d9df5bcaea62ea6737abb65b1e938b7abb081aa2686c8048
                                                                                                          • Instruction Fuzzy Hash: 20819474E002189FCB54DFA9D584A9DBBF1FF89304F2081A9E919AB361DB30AD41CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95C60, Relevance: .2, Instructions: 176COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 26f9f0ed96587209d32ba8b3f902637228920f3a4ab026126abce0ac9123003c
                                                                                                          • Instruction ID: 276152e1589aee6fd555f06500c836880e40b2ea4c9ec045a1f13b6edeffaeaa
                                                                                                          • Opcode Fuzzy Hash: 26f9f0ed96587209d32ba8b3f902637228920f3a4ab026126abce0ac9123003c
                                                                                                          • Instruction Fuzzy Hash: 82818274E002188FCB54DFA9D984A9DBBF1FF89314F2080A9E919AB361DB30AD41CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B96922, Relevance: .1, Instructions: 126COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 53391242b0b00e9a335969780ef6b3ccbbd65052243ca24f45e750a49e077c9a
                                                                                                          • Instruction ID: 53367f38f133fe7fd6e819d0ca7b714208ffa45168fa5bb342fb0eb3732c7b55
                                                                                                          • Opcode Fuzzy Hash: 53391242b0b00e9a335969780ef6b3ccbbd65052243ca24f45e750a49e077c9a
                                                                                                          • Instruction Fuzzy Hash: 1451D230A012199FCF24CF68D988AAEBBF1FF58715F1480A9E846A7660D7309C40CB90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B971E7, Relevance: .1, Instructions: 117COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dfbdd7671bb0f13db338908b1af6d86dddabeebadcafc1359d4a9a6ae2770b39
                                                                                                          • Instruction ID: 2276914c0b82873c82d3204e59c0be9c0c05da7c1362242348b80877b5d6cc60
                                                                                                          • Opcode Fuzzy Hash: dfbdd7671bb0f13db338908b1af6d86dddabeebadcafc1359d4a9a6ae2770b39
                                                                                                          • Instruction Fuzzy Hash: A041553171421A9BDF149F64D884AAE77F6EF88314F148429FC029B7A4DF34DC528BA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95658, Relevance: .1, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b6c8966ae01fc693e3d548508fd47e3232dd2774d7e647128bf13003ff22cd65
                                                                                                          • Instruction ID: 9447ca3ad12fe3a160e21200f748372ce47e55e0efcd449f0fe150b7c6450f64
                                                                                                          • Opcode Fuzzy Hash: b6c8966ae01fc693e3d548508fd47e3232dd2774d7e647128bf13003ff22cd65
                                                                                                          • Instruction Fuzzy Hash: A441B2B4E012189FCB44DFA9D595AAEBBF2FF89300F108069E915AB361DB319D01CF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95668, Relevance: .1, Instructions: 109COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b1de542507d257704f6056f4c1ea6d1d0ebe3642d8ae93618ec50cbb45a7c3c1
                                                                                                          • Instruction ID: 50853367e46c647a25e5e67ab8494daf5ff918c6b3b1b551d7d8a14f8b9671f7
                                                                                                          • Opcode Fuzzy Hash: b1de542507d257704f6056f4c1ea6d1d0ebe3642d8ae93618ec50cbb45a7c3c1
                                                                                                          • Instruction Fuzzy Hash: 4C419274E012189FCB44DFA9D595AAEBBF2FF89300F108069E515BB360DB31A901CF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B94590, Relevance: .1, Instructions: 102COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6c5d0746c07bead4c7679f47a28b7d38e923f746d27ada958e3ef97280ae9b64
                                                                                                          • Instruction ID: efd2e84c916e3eb0de4469b481d293bae01dc775f99acf5b2758c3ac884f0743
                                                                                                          • Opcode Fuzzy Hash: 6c5d0746c07bead4c7679f47a28b7d38e923f746d27ada958e3ef97280ae9b64
                                                                                                          • Instruction Fuzzy Hash: 1A31CE343001144FCB84ABB9D410DAE32EBEF8664871145B8DA02CBBA8DF25EC0E87D6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B949D0, Relevance: .1, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0d0fbd6781562209852311938e236c1b838625c192fe360b64a0bc1cfdc964b3
                                                                                                          • Instruction ID: f47c17d20d6b66fb8c906187159aec047091173dab76a7ee454ec80ef7bb31e4
                                                                                                          • Opcode Fuzzy Hash: 0d0fbd6781562209852311938e236c1b838625c192fe360b64a0bc1cfdc964b3
                                                                                                          • Instruction Fuzzy Hash: 3641B374E012189FCB44DFA9D594ADEBBF2FF89304F20806AE505AB360DB359901CF64
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B960C0, Relevance: .1, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 69465d7c519cc17ac15d8d7a61ae75c9c932cb05f61680db093963c68341c115
                                                                                                          • Instruction ID: a19de4d6f4c8619ad6994ec63bdaea5ca9120fa3a56dd170fe592716f5149b54
                                                                                                          • Opcode Fuzzy Hash: 69465d7c519cc17ac15d8d7a61ae75c9c932cb05f61680db093963c68341c115
                                                                                                          • Instruction Fuzzy Hash: B0313874E022198FCB18DFA5D850AEEB7B2FF9A304F108869D81577394CB319906CB65
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B957A8, Relevance: .1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9304cedc8757bca54b10eb83037b6d4bc0f7cfeba7ae203de502a2d2344f2d22
                                                                                                          • Instruction ID: da38304bcbdfdb70faa678d367b043bd83d8b6360a88cef53aa05aa258099257
                                                                                                          • Opcode Fuzzy Hash: 9304cedc8757bca54b10eb83037b6d4bc0f7cfeba7ae203de502a2d2344f2d22
                                                                                                          • Instruction Fuzzy Hash: E0419075E012199FCB48DFA9D59499EBBF2EF89300F208069E905AB360DB35AD01CF65
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95F59, Relevance: .1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 215876571dba5ed47768fc1d3da069daef8864a672ad93cd83c42c4c33198788
                                                                                                          • Instruction ID: 18adaf1df6c1b7ccb84226e23a4fad2ae2fea3086622683cf3ef5e2da72a7789
                                                                                                          • Opcode Fuzzy Hash: 215876571dba5ed47768fc1d3da069daef8864a672ad93cd83c42c4c33198788
                                                                                                          • Instruction Fuzzy Hash: 18412878E002089FDB54EFA4D850AEEBBB2FB99300F208429D90577364DB345D06DF60
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B960D0, Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7c3b230859fc022117d5cd4c7c34ae7bdf31e8c9526877738d46f1fd17da9f94
                                                                                                          • Instruction ID: 4d96158b152ee96a81eec5a9f0da99bbaf6425ccb0098fa323c6a6ddea835c8c
                                                                                                          • Opcode Fuzzy Hash: 7c3b230859fc022117d5cd4c7c34ae7bdf31e8c9526877738d46f1fd17da9f94
                                                                                                          • Instruction Fuzzy Hash: 6F311674E022198FCB18DFA5D840AEEB7B2FF8A304F208869D81577394CB319906CF64
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B957B8, Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f7b9c08488cdf4ffc8e08e40daee3549c50b9435b1f8df49edc8a9c00dfc1669
                                                                                                          • Instruction ID: 8618fb93013fc4e1282037ab6d5f7e348e68e9202942153d9d099c6884a9f369
                                                                                                          • Opcode Fuzzy Hash: f7b9c08488cdf4ffc8e08e40daee3549c50b9435b1f8df49edc8a9c00dfc1669
                                                                                                          • Instruction Fuzzy Hash: 35418F74E012199FCB44DFA9D58499EBBF2BF89304F208069E805AB360DB35AD01CF65
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95F60, Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8d19d8d5051e7f2563f881436f8a6150f32f5a7b5c75af822b0b5341e103b85b
                                                                                                          • Instruction ID: f3faee0e57f0cc708552ca195a3329219d5a06727b65d81f93bc5d572c661f5f
                                                                                                          • Opcode Fuzzy Hash: 8d19d8d5051e7f2563f881436f8a6150f32f5a7b5c75af822b0b5341e103b85b
                                                                                                          • Instruction Fuzzy Hash: 4C410638E002089FDB54EFA5D850AEEBBB2FB99304F208469D90567364DB346D06DFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B949E0, Relevance: .1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a6307f04ed017d6506ac884992a171d490788b103f6d705cd518c5dda7bcbfc5
                                                                                                          • Instruction ID: 78f160608fae1d8b8556261bae511ae83570a56305c4f7607f203f13145a5968
                                                                                                          • Opcode Fuzzy Hash: a6307f04ed017d6506ac884992a171d490788b103f6d705cd518c5dda7bcbfc5
                                                                                                          • Instruction Fuzzy Hash: 1E417F74E012189FCB48DFA9D59499EBBF2FF89304F208169E905A7360DB35AD01CF64
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B94580, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 078dc6b6691522d5c6f5adeb838702f6344a6de6f9e882b4fd4ba28f30a8995b
                                                                                                          • Instruction ID: e2eaad57756f99920ff4a63f493080b37962dececfd2f5ea72208887ac9d41c8
                                                                                                          • Opcode Fuzzy Hash: 078dc6b6691522d5c6f5adeb838702f6344a6de6f9e882b4fd4ba28f30a8995b
                                                                                                          • Instruction Fuzzy Hash: B821F2343041104FDB54ABA5E401D9E37EAEB8764871080B9D506CB7A8DF25AD0F87D6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B9AA18, Relevance: .1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8df66cd08d341ad269f2973de257db041f810a9258ac46a3f264eadbfd045d06
                                                                                                          • Instruction ID: 603bc361feda45ddd194c5dea3dd5a8de3b23ad7740ba7395c951f0c1f32d769
                                                                                                          • Opcode Fuzzy Hash: 8df66cd08d341ad269f2973de257db041f810a9258ac46a3f264eadbfd045d06
                                                                                                          • Instruction Fuzzy Hash: DD31E574E00209CFDB04DFA5D994AEEBBF2EF89304F2084AAD505A7364DB359946CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93FD8, Relevance: .1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5387b82cc6df6b184279987364458f52324c804eb7692adbef07d1c93c4f8527
                                                                                                          • Instruction ID: 2ee777cd3b929070da255eb0437a09722ec1cbdedfad9ef5b527eb663aa5909d
                                                                                                          • Opcode Fuzzy Hash: 5387b82cc6df6b184279987364458f52324c804eb7692adbef07d1c93c4f8527
                                                                                                          • Instruction Fuzzy Hash: 13214578E042098FDB01DFA8D484AEDBBF1FF49304F1084AAD504A7261EB355E46CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B9AA28, Relevance: .1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 249494a5e5d5adeeb77fe189f4a0617e544a6899644fd7514dfae43740c9b33b
                                                                                                          • Instruction ID: 99d5284260e49362fd56302e0ceaf639ecf26bbff25c8dc093f604e9ecd23bf1
                                                                                                          • Opcode Fuzzy Hash: 249494a5e5d5adeeb77fe189f4a0617e544a6899644fd7514dfae43740c9b33b
                                                                                                          • Instruction Fuzzy Hash: A921C574E00208CFCB04DFA9D9849AEBBF2EB89304F208469D905A7364DB359946CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B940A9, Relevance: .1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0974b546e1fc9b9afaab87481918a9e846127c6dbf0c16021ded29a6f688aa25
                                                                                                          • Instruction ID: d4c76ab12525f322ef4f36be62e6620f5c7bf158036e9a1d6b86c1237c8f89f7
                                                                                                          • Opcode Fuzzy Hash: 0974b546e1fc9b9afaab87481918a9e846127c6dbf0c16021ded29a6f688aa25
                                                                                                          • Instruction Fuzzy Hash: 90216D74D0020E9FDB14EFA5D851AEEBB72FB85304F108829DA11AB364DB351E06CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93FE8, Relevance: .1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: aaa27c01d1a9481c42088e2bbabcf649c801849212e4d233e7ef795b9ebdbbec
                                                                                                          • Instruction ID: 982f396f6d018707d2b4c3a20cc25808a5490092f78f611e70e294626e9789ba
                                                                                                          • Opcode Fuzzy Hash: aaa27c01d1a9481c42088e2bbabcf649c801849212e4d233e7ef795b9ebdbbec
                                                                                                          • Instruction Fuzzy Hash: 32210278E042098FDB04DFA9D484AEEBBF1FF49304F10846AD504A7264EB756E46CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B940B8, Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b8e8781ddfe98e931c1f17ac55ab05ee71b8a22e7f918aeaa5c790bab7a95ee2
                                                                                                          • Instruction ID: 06062db869e93707b05179334af69c153bc249315d1c1176509bc0144d8a1c70
                                                                                                          • Opcode Fuzzy Hash: b8e8781ddfe98e931c1f17ac55ab05ee71b8a22e7f918aeaa5c790bab7a95ee2
                                                                                                          • Instruction Fuzzy Hash: 0B111974D0021E9FDF14EFA5D850AEEBB72FB89304F108829DA1167364DB356E06CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93EB8, Relevance: .1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 75935949cff006b243ec057308792a40d769a8babd16a3f1a028d20cb1801de8
                                                                                                          • Instruction ID: 8d914aa754cb190f273ffc7d5146f0cc11414f7c84a588291c7dc8944cb390ab
                                                                                                          • Opcode Fuzzy Hash: 75935949cff006b243ec057308792a40d769a8babd16a3f1a028d20cb1801de8
                                                                                                          • Instruction Fuzzy Hash: 8F112878901208DFC780EFA8E889A8DBBF1FF09708B1185A9D509DB361E7709E46CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93F59, Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4aef8f8cc8f86dc7e64beb61425df367c44bf2e190b936a6ae261fdc633913e4
                                                                                                          • Instruction ID: 98469edb44fd1fd7a3e61bbcadb3bcdf07b6bee5e7af9acf7bcba974546bc86f
                                                                                                          • Opcode Fuzzy Hash: 4aef8f8cc8f86dc7e64beb61425df367c44bf2e190b936a6ae261fdc633913e4
                                                                                                          • Instruction Fuzzy Hash: 22017CB8D08208DFCB44DFA9D985AADBBF1FB49314F10C5AAD80597325DB309A42CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95388, Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 20b81ee3281c4f9f79c8f694e94fb31580eb5a9d0bf581555ae346215ee0ffc4
                                                                                                          • Instruction ID: ec8cbd2f673eb5b9c77b2bca81e6eec14f17bd0e71a8e5f528f7e8f51a659fad
                                                                                                          • Opcode Fuzzy Hash: 20b81ee3281c4f9f79c8f694e94fb31580eb5a9d0bf581555ae346215ee0ffc4
                                                                                                          • Instruction Fuzzy Hash: 98112A74905209DFCB91EFA8E985A9CBBF1FB59304F008AA6C505E7224EB741E0ADF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93EC8, Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1f765c9c8d296a8f509067828073a84701260f941912716da2a646da9a1aa102
                                                                                                          • Instruction ID: 49542064c2f4e44fe80c73b1fbb306067580fb767712b07804194472fecae580
                                                                                                          • Opcode Fuzzy Hash: 1f765c9c8d296a8f509067828073a84701260f941912716da2a646da9a1aa102
                                                                                                          • Instruction Fuzzy Hash: DF11D378A00208DFCB90EFA8D888A9DBBF5FB49708F1185A9D509D7364E774AE45CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B9AF37, Relevance: .0, Instructions: 41COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f0686ce7d8cc36dbdb5333731d145767fc615f49999a3e5c52829f810f1a4cd3
                                                                                                          • Instruction ID: 072c8bcba8aeebae116f5313141e7c8486f2fc612f45367e5d44a4c5319c5aef
                                                                                                          • Opcode Fuzzy Hash: f0686ce7d8cc36dbdb5333731d145767fc615f49999a3e5c52829f810f1a4cd3
                                                                                                          • Instruction Fuzzy Hash: 30011E70D04248AFDB40FFF5E485A9C7BF1EB85308F10C9A9C104A7664EB755E06CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B94178, Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 852705c74f9007ceca41d272306698c00b962c1a6aadaa32178e5ab7d30cdd23
                                                                                                          • Instruction ID: a64fd19dbec74123d9747169f634d147cb3f41b059a4390a1ab0d57d39bf4274
                                                                                                          • Opcode Fuzzy Hash: 852705c74f9007ceca41d272306698c00b962c1a6aadaa32178e5ab7d30cdd23
                                                                                                          • Instruction Fuzzy Hash: 1201D671D0829A9FDF22DFA4DC509ED7BB0FF56304F0084A9C511AB260D7385D06DB60
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95398, Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 762339a6a82a9eabc09be8de33a8d7dc20041ef4ff30ea2863f8450b3edb0c99
                                                                                                          • Instruction ID: 2e662fad74357ed898b70964088703abceeb7c754ed76ddd3f1f4297528a26d1
                                                                                                          • Opcode Fuzzy Hash: 762339a6a82a9eabc09be8de33a8d7dc20041ef4ff30ea2863f8450b3edb0c99
                                                                                                          • Instruction Fuzzy Hash: E701E574905209DFCB91EFA8E984A9D7BF1FB59304F108AA5D505E3228EB741E0ADF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B9AF48, Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 36fb9e9fd0e737d84f50b045addddc991b0d133e70b83066da65c290d6fccd57
                                                                                                          • Instruction ID: 896ac52702bff5c772fe22b12a227d704247e5bb7f2f5190a7a9687d384e172a
                                                                                                          • Opcode Fuzzy Hash: 36fb9e9fd0e737d84f50b045addddc991b0d133e70b83066da65c290d6fccd57
                                                                                                          • Instruction Fuzzy Hash: 9B01E870D04208AFDB80FFE9E885A9DBBF5EB85308F1088A9D104A7254EB716E09CB55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93F68, Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 45b0dc0b8ec35bc45b2faeaa1859a3b2402cb5ac0bc08a64f8bb6eb8b6c53c5b
                                                                                                          • Instruction ID: d17ecbdb5ad273e9d157ac488c948d098c1ddc5d954e40175ad0204c8e47d8fc
                                                                                                          • Opcode Fuzzy Hash: 45b0dc0b8ec35bc45b2faeaa1859a3b2402cb5ac0bc08a64f8bb6eb8b6c53c5b
                                                                                                          • Instruction Fuzzy Hash: 6001FB78E04208DFCB44EFA9D584AADBBF1FB49314F10C5AAD81597325D7309A41CF41
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95ED8, Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5e1b4bda56b3759fd723641ee3acb154d96280105288133bfa6a139d9ae4fd50
                                                                                                          • Instruction ID: 5c77570fc4f295eb554c10e0b0b32ee8c805eb0db4100afbe24c8102e1d083dd
                                                                                                          • Opcode Fuzzy Hash: 5e1b4bda56b3759fd723641ee3acb154d96280105288133bfa6a139d9ae4fd50
                                                                                                          • Instruction Fuzzy Hash: A6E0DFB081A205EFC700EFA1B18C3AE7FA5EB5B306F00AC70E40987200EB3A0D42CB41
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95578, Relevance: .0, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c9be3b7b03c88ef4ca6594fba4dce54077f57e9be6cb8998007ddcf3afb998cc
                                                                                                          • Instruction ID: 63b127b2116c70fe8fea6949b37d3fa6af3308281cfdd78727bff29a41875d39
                                                                                                          • Opcode Fuzzy Hash: c9be3b7b03c88ef4ca6594fba4dce54077f57e9be6cb8998007ddcf3afb998cc
                                                                                                          • Instruction Fuzzy Hash: 4FF082B4905209EFD750EFB8D54478CBFB1EB15305F1085A6C60493254E7304E47DB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95588, Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e195568cb345a5824765eee60860ddad8e1bab11a67d567b073933652b81f58e
                                                                                                          • Instruction ID: d81d430ee7ae6fc9dc4d9dee7189a7b35326c27c87fc46b859b74d5333e7592d
                                                                                                          • Opcode Fuzzy Hash: e195568cb345a5824765eee60860ddad8e1bab11a67d567b073933652b81f58e
                                                                                                          • Instruction Fuzzy Hash: E9E06D74805208DFDB40EFB8E548A9CBBF4EB08304F1085A6C804E3214EB301E46DB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95E98, Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2a38f2b902db4a749665fe3809a90bc72864f89827c2c0b96266829a6c1b44f2
                                                                                                          • Instruction ID: 7411594f13c34b5b375f4ebd5405a85245c6616956677e1131487a44753172dd
                                                                                                          • Opcode Fuzzy Hash: 2a38f2b902db4a749665fe3809a90bc72864f89827c2c0b96266829a6c1b44f2
                                                                                                          • Instruction Fuzzy Hash: A1D0C2B0D46104ABC3059FD0A6843B97BB9DB42309F10A8A5950827200EB364E068B54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95EE8, Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 870b2c7bbdaf95ab7a5b71d5123c26a29683472d1932aad6733c5f89e963893e
                                                                                                          • Instruction ID: 1b84885c87f88dbeb035411880194c9cd9e279fcf3102be81c527c43d128faf1
                                                                                                          • Opcode Fuzzy Hash: 870b2c7bbdaf95ab7a5b71d5123c26a29683472d1932aad6733c5f89e963893e
                                                                                                          • Instruction Fuzzy Hash: 18E0EC30859309DFC700EFB2A55C66A7FA8EB4B306F00ACB4E80AD7140DB3A0D40CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B96224, Relevance: .0, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 090874da7c7d94fda432d1c7d0cffdd68fd0ce18df0c4802aff87356019659d8
                                                                                                          • Instruction ID: 933a5ed625e0d118808020a59be6955bc0706fb72ed7e85023ca46b6774aceff
                                                                                                          • Opcode Fuzzy Hash: 090874da7c7d94fda432d1c7d0cffdd68fd0ce18df0c4802aff87356019659d8
                                                                                                          • Instruction Fuzzy Hash: FAD02B23E0C1D09FCF0247F9BC550E47FB0E887202705C1EBC041E7462D214DA0AD360
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B95EA8, Relevance: .0, Instructions: 17COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: df6f8462a3e8844bd223eeb1580687e7121124c6372a185f7e1718699cf998cf
                                                                                                          • Instruction ID: 65458a5625a261e9eb1b6081abc4a5d6e2912257ffb67e53775e8c6887245052
                                                                                                          • Opcode Fuzzy Hash: df6f8462a3e8844bd223eeb1580687e7121124c6372a185f7e1718699cf998cf
                                                                                                          • Instruction Fuzzy Hash: 1AD0A730C1A108DBC704EFE1DA547B9BBFCD706309F00A8A9840423200EB354D00CB55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B96DFA, Relevance: .0, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e33e8c498726c650f1d26696cc65ee420d06dc4db82e6658105a684072c0a302
                                                                                                          • Instruction ID: a1529252e12d8b2e9413871cbbeb174158a5dd3dac5f531faca73d9af64e64ae
                                                                                                          • Opcode Fuzzy Hash: e33e8c498726c650f1d26696cc65ee420d06dc4db82e6658105a684072c0a302
                                                                                                          • Instruction Fuzzy Hash: 8DD05EB66493486FEF005B60D80C76BBFD7DBB5301F14947ADA0687150EA34CC958750
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93E40, Relevance: .0, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6787bcd7775ae122b8d09ef13ce420aa756656e95b05705a7cd0f7cfd4dda9a3
                                                                                                          • Instruction ID: 4cc0293fbf400499f361f3bf87efb8ec78e63334cb796953882edf67c94651d1
                                                                                                          • Opcode Fuzzy Hash: 6787bcd7775ae122b8d09ef13ce420aa756656e95b05705a7cd0f7cfd4dda9a3
                                                                                                          • Instruction Fuzzy Hash: E6D0A72050E7484FC3115B54FC5E7A67BA8EB4370EF0418E9D1082B0A3D7B06956C629
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B961F9, Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4245fe828abb7476e7df92447d96bab842b6c76088d704cd21961d6cbcdff9b7
                                                                                                          • Instruction ID: b2a4789e14db698c42b92b9a25dcade41caab5d9c0db3c139a95b944758c76af
                                                                                                          • Opcode Fuzzy Hash: 4245fe828abb7476e7df92447d96bab842b6c76088d704cd21961d6cbcdff9b7
                                                                                                          • Instruction Fuzzy Hash: 34D05E76006248BFDB020F80AC00BD93F32EB19300F009001FA5609062C2768932ABA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B96E08, Relevance: .0, Instructions: 13COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6e58bb979b7193ede1f95f12350a55cf7a2435e6ab318ed7bfefe335ce7efccc
                                                                                                          • Instruction ID: 23c19066a4e826879071205c3d163cd6e79526f71be8ede0a4324707d4d0518b
                                                                                                          • Opcode Fuzzy Hash: 6e58bb979b7193ede1f95f12350a55cf7a2435e6ab318ed7bfefe335ce7efccc
                                                                                                          • Instruction Fuzzy Hash: 57D0123560470C9FDF105B71D80CB277FDAEB54351F04A479E805C2150DB35CC94D560
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B93E50, Relevance: .0, Instructions: 11COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f31f72aac71a2f77c8d45a5bd8d5583bdbcb5d63693b3cfed5553d411ca471be
                                                                                                          • Instruction ID: c8cf5f8488b0836479f2826878ba6e613f776c36048ec120fbce44d14364172f
                                                                                                          • Opcode Fuzzy Hash: f31f72aac71a2f77c8d45a5bd8d5583bdbcb5d63693b3cfed5553d411ca471be
                                                                                                          • Instruction Fuzzy Hash: FBC02B3040670C47C2042BC4B80C3F876DCE30330DF402D20D00C010121BB0BC40C464
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00B96208, Relevance: .0, Instructions: 10COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000B.00000002.422558962.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 050c909c786b28b25f18a310312a7f7659e476421d915507d39648396dfcb049
                                                                                                          • Instruction ID: 565996d285bb260d996a506c04aef5013a85f09954b7781df2c827190bde54f3
                                                                                                          • Opcode Fuzzy Hash: 050c909c786b28b25f18a310312a7f7659e476421d915507d39648396dfcb049
                                                                                                          • Instruction Fuzzy Hash: F4C0023604020DBBCF025EC1ED05EDA7F6AEB18750F008405FA191546287B39970ABA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Analysis Process: powershell.exe PID: 7032 Parent PID: 5988 powershell.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 032ED01D, Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000F.00000002.530913591.00000000032ED000.00000040.00000001.sdmp, Offset: 032ED000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 98f382f514f6eec2bb67a6578a0072d00c1fbcadff5af9b8a1c2ee6254031d13
                                                                                                          • Instruction ID: b6135f339ff257d5520b3a71e31a4df3bfb9655a1bb973c2ac5ae94f72cc1358
                                                                                                          • Opcode Fuzzy Hash: 98f382f514f6eec2bb67a6578a0072d00c1fbcadff5af9b8a1c2ee6254031d13
                                                                                                          • Instruction Fuzzy Hash: 09012B71428344AFE720CA15DCC5BA7FB8CEF41325F4CC45AED045B282C3B99985C6B1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032ED006, Relevance: .0, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000F.00000002.530913591.00000000032ED000.00000040.00000001.sdmp, Offset: 032ED000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 756592672f257c3de556f65ad8c4555838ec63b6373ff3261db3bdac451f7d0e
                                                                                                          • Instruction ID: 9e3e973dc6969d974418ba076d26f9cbedf19db0db16ee0f2326bc8a0882d840
                                                                                                          • Opcode Fuzzy Hash: 756592672f257c3de556f65ad8c4555838ec63b6373ff3261db3bdac451f7d0e
                                                                                                          • Instruction Fuzzy Hash: 0301297140D3C49FD7128B25C895B62BFA8AF43224F1D80DBD9848F2A3C2699848CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Analysis Process: Drivers.exe PID: 4924 Parent PID: 5988 Drivers.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 05DD516C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DDB633
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.605257519.0000000005DD0000.00000040.00000001.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: NameUser
                                                                                                          • String ID: veU$veU
                                                                                                          • API String ID: 2645101109-3400187332
                                                                                                          • Opcode ID: f72fb56f0fec601651c11c884939a1358f75ffa5a1f4b769e764f020e7e2bbc5
                                                                                                          • Instruction ID: 6b4f6d129b2dc5c7a08bf8d1ecbb174c5b63229f9de2e04a19676e2cb0653b38
                                                                                                          • Opcode Fuzzy Hash: f72fb56f0fec601651c11c884939a1358f75ffa5a1f4b769e764f020e7e2bbc5
                                                                                                          • Instruction Fuzzy Hash: FE51E470E002188FEB14CFA9C985BDDFBB1BF48318F15811AE815AB350D774A844CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B9516F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B95302
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateWindow
                                                                                                          • String ID: veU$veU
                                                                                                          • API String ID: 716092398-3400187332
                                                                                                          • Opcode ID: d4482a4ebc1ff5ee275f3559d3f14526831207580a238f1cfe67c111737a1e9f
                                                                                                          • Instruction ID: 0a96a03bf685bc085e8d0bac9b805f33455f5d71e5b3dcb0a21dbbb53d669476
                                                                                                          • Opcode Fuzzy Hash: d4482a4ebc1ff5ee275f3559d3f14526831207580a238f1cfe67c111737a1e9f
                                                                                                          • Instruction Fuzzy Hash: BF6124B1D043899FDF12CFA8C980ADDBFB1BF49314F1981AAE804AB261D3749955CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05DDB4ED, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DDB633
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.605257519.0000000005DD0000.00000040.00000001.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: NameUser
                                                                                                          • String ID: veU$veU
                                                                                                          • API String ID: 2645101109-3400187332
                                                                                                          • Opcode ID: fed0c095ef32205fc63aff4352954da56c44af22505466a6d4b5553900a46301
                                                                                                          • Instruction ID: f255aaf094af4388058adf2141b708e459c6fb8de48c316c4c2123561fd0f8ac
                                                                                                          • Opcode Fuzzy Hash: fed0c095ef32205fc63aff4352954da56c44af22505466a6d4b5553900a46301
                                                                                                          • Instruction Fuzzy Hash: 63510371E002188FEB14CFA9C995BEDFBB1BF48318F15811AE815AB394D774A844CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05DD929C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DDB633
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.605257519.0000000005DD0000.00000040.00000001.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: NameUser
                                                                                                          • String ID: veU$veU
                                                                                                          • API String ID: 2645101109-3400187332
                                                                                                          • Opcode ID: e7cb2b4057c1687eadd8f456053e8fbfabf262215a28166d5e88dfc5cc8a6d0a
                                                                                                          • Instruction ID: 63760594de53b509b069128c6e7bed86f1e7064cac4631f5b7de1e2bd1e4c2c0
                                                                                                          • Opcode Fuzzy Hash: e7cb2b4057c1687eadd8f456053e8fbfabf262215a28166d5e88dfc5cc8a6d0a
                                                                                                          • Instruction Fuzzy Hash: E551E370E002188FEB14CFA9C985BEDFBB1BF48318F15811AE815AB351D774A844CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B93CDC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B95302
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateWindow
                                                                                                          • String ID: veU$veU
                                                                                                          • API String ID: 716092398-3400187332
                                                                                                          • Opcode ID: 10a24e2c745fe76828f7c255c02ff459e605abab875cb9052c5a4989e0b6913c
                                                                                                          • Instruction ID: 5df333bd5397fcee9e8b759f0cd2763e06a86f3b20d66711460e743f3a753bbb
                                                                                                          • Opcode Fuzzy Hash: 10a24e2c745fe76828f7c255c02ff459e605abab875cb9052c5a4989e0b6913c
                                                                                                          • Instruction Fuzzy Hash: CD51CEB1D043489FDF15CFA9C984ADEBBB5FF48314F64812AE819AB210D774A985CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B969C4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 02B97D61
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CallProcWindow
                                                                                                          • String ID: veU
                                                                                                          • API String ID: 2714655100-3956225957
                                                                                                          • Opcode ID: 050bdf001356b54ef54655539f2a39f3feb0fbf04d3fa9d2b2123361f405a371
                                                                                                          • Instruction ID: b08e7b1caef03fc236e3b683b1a974b62a4cb7072c705bb872d37b5980c7b0ad
                                                                                                          • Opcode Fuzzy Hash: 050bdf001356b54ef54655539f2a39f3feb0fbf04d3fa9d2b2123361f405a371
                                                                                                          • Instruction Fuzzy Hash: 124138B5A106098FDB14CF99C488BAAFBF5FF89314F15C499E419AB360D734A841CFA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B9C419, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02B9C4A2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: EncodePointer
                                                                                                          • String ID: veU
                                                                                                          • API String ID: 2118026453-3956225957
                                                                                                          • Opcode ID: 3d378b124c90772f7429e329a2c25d3084acde69f9566bd9122776565589787e
                                                                                                          • Instruction ID: 5a584ded2cdb4753bd81609d975d12a371dbdf7e9705c90732967e16e169394a
                                                                                                          • Opcode Fuzzy Hash: 3d378b124c90772f7429e329a2c25d3084acde69f9566bd9122776565589787e
                                                                                                          • Instruction Fuzzy Hash: 2C31DE719153848FEB10DFA9D9087AE7FF4FB0A318F1880ABE484AB252C7795945CF61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B96DD2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B96E5F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID: veU
                                                                                                          • API String ID: 3793708945-3956225957
                                                                                                          • Opcode ID: 36207a6f5e4473b315ccc56f13fe47546095121932068f9d377d0843ee4caac7
                                                                                                          • Instruction ID: db1c9f455faee829f5b5df19c6b45c7a36f4327b445849995ddc2edb8bc5dec1
                                                                                                          • Opcode Fuzzy Hash: 36207a6f5e4473b315ccc56f13fe47546095121932068f9d377d0843ee4caac7
                                                                                                          • Instruction Fuzzy Hash: 0521C6B5D002499FDB10CF99D984ADEFBF8EB48324F14845AE914A7310D774A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B96DD8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B96E5F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID: veU
                                                                                                          • API String ID: 3793708945-3956225957
                                                                                                          • Opcode ID: e6e1b9d5affbdd4dc558c6815c2b76d28c8ead22d74542c3df7da26bad23ed26
                                                                                                          • Instruction ID: 0acc42dca5fb574bfafe2ba36076b046a7ac2ac57ee7146e9347931e1ac9a15e
                                                                                                          • Opcode Fuzzy Hash: e6e1b9d5affbdd4dc558c6815c2b76d28c8ead22d74542c3df7da26bad23ed26
                                                                                                          • Instruction Fuzzy Hash: AB21D3B5D00248AFDB10CFA9D984ADEFBF8FB48324F14845AE914A7310D774A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02B9C428, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02B9C4A2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.596762775.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: EncodePointer
                                                                                                          • String ID: veU
                                                                                                          • API String ID: 2118026453-3956225957
                                                                                                          • Opcode ID: 2ebeefa75be00373580cf4ed7bcea3d4c97d25c129fe9bbed92edfd7fea0609e
                                                                                                          • Instruction ID: 6062b516d455f4bee579e2be31a0eb921b3ff3594547cd19407966a99b1ce689
                                                                                                          • Opcode Fuzzy Hash: 2ebeefa75be00373580cf4ed7bcea3d4c97d25c129fe9bbed92edfd7fea0609e
                                                                                                          • Instruction Fuzzy Hash: 3B116771A013048FDB10DFA9D5087AEBFF8FB49318F24846AD445A7750DB396945CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions