Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase order.exe

Overview

General Information

Sample Name:Purchase order.exe
Analysis ID:358189
MD5:98be4d3bb2053810801fadeb32884acd
SHA1:8919195923883f3842ff78210ab6c6c1e448a10b
SHA256:df61b9c866c5ceb278e173814ddf975b70b5b2e9fcbc5b482326e4163c2e1086
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Yara detected AgentTesla
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Purchase order.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\Purchase order.exe' MD5: 98BE4D3BB2053810801FADEB32884ACD)
    • powershell.exe (PID: 7128 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase order.exe (PID: 5132 cmdline: C:\Users\user\Desktop\Purchase order.exe MD5: 98BE4D3BB2053810801FADEB32884ACD)
    • Purchase order.exe (PID: 2040 cmdline: C:\Users\user\Desktop\Purchase order.exe MD5: 98BE4D3BB2053810801FADEB32884ACD)
  • Drivers.exe (PID: 5988 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: 98BE4D3BB2053810801FADEB32884ACD)
    • powershell.exe (PID: 7032 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Drivers.exe (PID: 4924 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe MD5: 98BE4D3BB2053810801FADEB32884ACD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.Drivers.exe.4b20000.7.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              11.2.Drivers.exe.358f940.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                2.2.Purchase order.exe.42223b8.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.Drivers.exe.4b20000.7.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    2.2.Purchase order.exe.411f940.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeReversingLabs: Detection: 27%
                      Source: 7.2.Purchase order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 17.2.Drivers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Purchase order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses secure TLS version for HTTPS connectionsShow sources
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49748 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Purchase order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: RunPE.pdb source: Purchase order.exe, 00000002.00000002.334237631.00000000030B1000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423002079.0000000002521000.00000004.00000001.sdmp
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: http://Aa8zauZezuE3202C2Z.com
                      Source: Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase order.exe, 00000007.00000002.601672353.000000000375E000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmpString found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                      Source: powershell.exe, 00000003.00000002.390650035.00000000007B6000.00000004.00000020.sdmp, powershell.exe, 0000000F.00000002.538667985.0000000007D80000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                      Source: Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: http://jotaSG.com
                      Source: powershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngHz
                      Source: powershell.exe, 00000003.00000002.392035603.00000000043A1000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531608455.0000000004C11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlHz
                      Source: Purchase order.exe, 00000007.00000002.607485458.0000000006BF0000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.coo.
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/
                      Source: Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocument
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocumentdocument-----
                      Source: Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4)l
                      Source: Purchase order.exe, 00000007.00000002.602072770.000000000379E000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgD8)l
                      Source: Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                      Source: powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterHz
                      Source: powershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49748 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to log keystrokes (.Net Source)Show sources
                      Source: Purchase order.exe, Hook.cs.Net Code: Register
                      Source: 2.0.Purchase order.exe.d20000.0.unpack, Hook.cs.Net Code: Register
                      Source: 2.2.Purchase order.exe.d20000.0.unpack, Hook.cs.Net Code: Register
                      Source: Drivers.exe.3.dr, Hook.cs.Net Code: Register
                      Source: 6.2.Purchase order.exe.1f0000.0.unpack, Hook.cs.Net Code: Register
                      Source: 6.0.Purchase order.exe.1f0000.0.unpack, Hook.cs.Net Code: Register
                      Source: 7.0.Purchase order.exe.f90000.0.unpack, Hook.cs.Net Code: Register
                      Source: 7.2.Purchase order.exe.f90000.1.unpack, Hook.cs.Net Code: Register
                      Source: 11.0.Drivers.exe.10000.0.unpack, Hook.cs.Net Code: Register
                      Source: 11.2.Drivers.exe.10000.0.unpack, Hook.cs.Net Code: Register
                      Source: 17.0.Drivers.exe.800000.0.unpack, Hook.cs.Net Code: Register
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Purchase order.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Purchase order.exe

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.2.Purchase order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3AC7E05Au002dC66Bu002d4157u002d95C4u002d6C91F712DA24u007d/u0030AFDCAC9u002dDE14u002d4130u002dA6F9u002d286CA1BF4D87.csLarge array initialization: .cctor: array initializer size 12028
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase order.exe
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015B6F80
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015B58D8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015BBC1D
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 2_2_015BBC88
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D2D50
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D1FE2
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D2618
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015DDAF0
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01728DC8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01720CA8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01727350
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01720E9E
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01729340
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01724B48
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01722BF0
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01725FB8
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01724AE9
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01739128
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01736D90
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01735D98
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173B0E0
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173DC88
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01732F78
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01730E1B
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173F2E6
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_017371C3
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01737238
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_0173CED0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 11_2_00B96F80
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 11_2_00B958D8
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 11_2_00B9BC88
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_02B947B2
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_02B94827
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_02B9D890
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD7538
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD94F8
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD6920
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD6C68
                      Source: Purchase order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Drivers.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCaptIt.dll. vs Purchase order.exe
                      Source: Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQDMERNJgHEzTJlNmtyUNxhtBpXZd.exe4 vs Purchase order.exe
                      Source: Purchase order.exe, 00000002.00000000.323630469.0000000000D9E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exe, 00000002.00000002.334237631.00000000030B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Purchase order.exe
                      Source: Purchase order.exe, 00000006.00000000.330564181.000000000026E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.607109858.00000000069E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.593118227.000000000100E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.597084899.00000000018D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.607228994.0000000006A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQDMERNJgHEzTJlNmtyUNxhtBpXZd.exe4 vs Purchase order.exe
                      Source: Purchase order.exe, 00000007.00000002.593212130.00000000011A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase order.exe
                      Source: Purchase order.exeBinary or memory string: OriginalFilenamePOWERPNT.exeL vs Purchase order.exe
                      Source: Purchase order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Drivers.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Purchase order.exe, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.Purchase order.exe.d20000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.Purchase order.exe.d20000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Drivers.exe.3.dr, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.Purchase order.exe.1f0000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.Purchase order.exe.1f0000.0.unpack, Config.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@14/13@1/1
                      Source: C:\Users\user\Desktop\Purchase order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3u3tnr4.sav.ps1Jump to behavior
                      Source: Purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Purchase order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase order.exe 'C:\Users\user\Desktop\Purchase order.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: C:\Users\user\Desktop\Purchase order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Purchase order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Purchase order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: Purchase order.exe, 00000002.00000002.334237631.00000000030B1000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423002079.0000000002521000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.429837387.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D1F32 push es; ret
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_015D7A37 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED8BE push edi; retf
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED9BE push esi; retf
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018EDA1E push esi; retf
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED91C push edi; retf
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_018ED97C push edi; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.98094912825
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.98094912825
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\Purchase order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.429837387.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.4b20000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.57b0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Purchase order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1993
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1233
                      Source: C:\Users\user\Desktop\Purchase order.exeWindow / User API: threadDelayed 1115
                      Source: C:\Users\user\Desktop\Purchase order.exeWindow / User API: threadDelayed 8743
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4319
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2051
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWindow / User API: threadDelayed 947
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWindow / User API: threadDelayed 8892
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 7116Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1072Thread sleep count: 1993 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4552Thread sleep count: 1233 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 58 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4628Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 5788Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 5792Thread sleep count: 1115 > 30
                      Source: C:\Users\user\Desktop\Purchase order.exe TID: 5792Thread sleep count: 8743 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 7152Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep count: 4319 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep count: 2051 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep count: 34 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6032Thread sleep time: -23980767295822402s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 5708Thread sleep count: 947 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 5708Thread sleep count: 8892 > 30
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\
                      Source: powershell.exe, 00000003.00000002.392297211.0000000004543000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.513586796.0000000005848000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: powershell.exe, 00000003.00000002.392297211.0000000004543000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.513586796.0000000005848000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeCode function: 7_2_01739128 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase order.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Bypasses PowerShell execution policyShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: C:\Users\user\Desktop\Purchase order.exeProcess created: C:\Users\user\Desktop\Purchase order.exe C:\Users\user\Desktop\Purchase order.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: Purchase order.exe, 00000007.00000002.598220796.0000000001DA0000.00000002.00000001.sdmp, Drivers.exe, 00000011.00000002.596524733.0000000001680000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Users\user\Desktop\Purchase order.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Users\user\Desktop\Purchase order.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 17_2_05DD516C GetUserNameW,
                      Source: C:\Users\user\Desktop\Purchase order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.412342681.0000000000756000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.324926849.0000000001303000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 4924, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 2040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Drivers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 4924, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 2040, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.412342681.0000000000756000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.324926849.0000000001303000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 4924, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 2040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase order.exe PID: 7072, type: MEMORY
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.4185d70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.42223b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Drivers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase order.exe.411f940.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.35f5d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.36923b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Drivers.exe.358f940.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Startup Items1Startup Items1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsPowerShell2Registry Run Keys / Startup Folder12Process Injection12Deobfuscate/Decode Files or Information1Input Capture21File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder12Obfuscated Files or Information2Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSQuery Registry1Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsVirtualization/Sandbox Evasion13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 358189 Sample: Purchase order.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for dropped file 2->34 36 Yara detected AgentTesla 2->36 38 .NET source code contains very large array initializations 2->38 40 7 other signatures 2->40 7 Purchase order.exe 3 2->7         started        9 Drivers.exe 3 2->9         started        process3 process4 11 Purchase order.exe 15 2 7->11         started        15 powershell.exe 15 7->15         started        18 Purchase order.exe 7->18         started        20 powershell.exe 19 9->20         started        22 Drivers.exe 2 9->22         started        dnsIp5 32 api.telegram.org 149.154.167.220, 443, 49748 TELEGRAMRU United Kingdom 11->32 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->42 44 Tries to steal Mail credentials (via file access) 11->44 46 Tries to harvest and steal ftp login credentials 11->46 52 2 other signatures 11->52 28 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 15->28 dropped 30 C:\Users\user\...\Drivers.exe:Zone.Identifier, ASCII 15->30 dropped 48 Drops PE files to the startup folder 15->48 50 Powershell drops PE file 15->50 24 conhost.exe 15->24         started        26 conhost.exe 20->26         started        file6 signatures7 process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe28%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.Purchase order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      17.2.Drivers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://Aa8zauZezuE3202C2Z.com0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://api.telegram.org4)l0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.microsoft.coo.0%Avira URL Cloudsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.pngHz0%Avira URL Cloudsafe
                      https://api.telegram.orgD8)l0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://jotaSG.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                          		high
                          http://DynDns.comDynDNSDrivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://Aa8zauZezuE3202C2Z.comPurchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpfalse
                            		high
                            https://api.telegram.orgPurchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpfalse
                                		high
                                http://certificates.godaddy.com/repository/0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                  		high
                                  http://certs.godaddy.com/repository/1301Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org4)lPurchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/Purchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmpfalse
                                      		high
                                      http://crl.godaddy.com/gdig2s1-1823.crl0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                        		high
                                        https://certs.godaddy.com/repository/0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.504047446.0000000007E23000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531885745.0000000004D50000.00000004.00000001.sdmpfalse
                                            		high
                                            https://api.ipify.org%$Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.microsoft.coo.Purchase order.exe, 00000007.00000002.607485458.0000000006BF0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://crl.godaddy.com/gdroot-g2.crl0FPurchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                              		high
                                              https://github.com/Pester/PesterHzpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.393564228.0000000005408000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.536141435.0000000005C75000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://crl.godaddy.com/gdroot.crl0FPurchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://pesterbdd.com/images/Pester.pngHzpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://api.telegram.orgD8)lPurchase order.exe, 00000007.00000002.602072770.000000000379E000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://api.ipify.org%GETMozilla/5.0Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		low
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlHzpowershell.exe, 00000003.00000002.392234936.00000000044E2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://api.telegram.orgPurchase order.exe, 00000007.00000002.601672353.000000000375E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://certificates.godaddy.com/repository/gdig2.crt0Purchase order.exe, 00000007.00000002.607397136.0000000006BB8000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://jotaSG.comDrivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocumentPurchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.392035603.00000000043A1000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.601601404.000000000374A000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.531608455.0000000004C11000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://api.telegram.org/bot1670019254:AAH89qmQqzYne6MnIySolVTT-8E2raVN0Ko/sendDocumentdocument-----Purchase order.exe, 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase order.exe, 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Purchase order.exe, 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Drivers.exe, 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                149.154.167.220
                                                                		unknownUnited Kingdom
                                                                		62041TELEGRAMRUfalse

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:358189
                                                                Start date:25.02.2021
                                                                Start time:07:44:44
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 13m 53s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:Purchase order.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:30
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.adwa.spyw.evad.winEXE@14/13@1/1
                                                                EGA Information:Failed
                                                                HDC Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 168.61.161.212, 52.255.188.83, 104.43.139.144, 51.11.168.160, 104.43.193.48, 2.20.142.210, 2.20.142.209, 51.103.5.159, 52.155.217.156, 92.122.213.194, 92.122.213.247, 20.54.26.129, 40.126.31.1, 40.126.31.135, 20.190.159.138, 40.126.31.6, 40.126.31.4, 40.126.31.8, 40.126.31.139, 40.126.31.141, 23.218.208.56
                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358189/sample/Purchase order.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                07:45:57API Interceptor699x Sleep call for process: Purchase order.exe modified
                                                                07:46:00API Interceptor59x Sleep call for process: powershell.exe modified
                                                                07:46:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                07:46:58API Interceptor307x Sleep call for process: Drivers.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                149.154.167.220WHz0D1UERA.exeGet hashmaliciousBrowse
                                                                  g6ys6ZH0HO.exeGet hashmaliciousBrowse
                                                                    OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                      Quote_13940007.exeGet hashmaliciousBrowse
                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                          crypted.exeGet hashmaliciousBrowse
                                                                            PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                              muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                SKBM 0222..exeGet hashmaliciousBrowse
                                                                                  PO 86540.exeGet hashmaliciousBrowse
                                                                                    Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                      JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                        BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                          Inv_874520.exeGet hashmaliciousBrowse
                                                                                            Inv_95736.scr.exeGet hashmaliciousBrowse
                                                                                              purchase_order.exeGet hashmaliciousBrowse
                                                                                                RFQ_2345.exeGet hashmaliciousBrowse
                                                                                                  Rechnung.exeGet hashmaliciousBrowse
                                                                                                    Shipping_Doc.exeGet hashmaliciousBrowse
                                                                                                      Purchase_Order16-122020.exeGet hashmaliciousBrowse

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                        api.telegram.orgWHz0D1UERA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        g6ys6ZH0HO.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Quote_13940007.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        crypted.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222..exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO 86540.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_874520.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_95736.scr.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        REVISED_INVOICE_Company_BankDetails_fle_doc.xlsx.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        purchase_order.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        RFQ_2345.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Rechnung.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Shipping_Doc.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220

                                                                                                        ASN

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                        TELEGRAMRUWHz0D1UERA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        g6ys6ZH0HO.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Quote_13940007.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        crypted.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222..exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PO 86540.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_874520.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Inv_95736.scr.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        purchase_order.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        RFQ_2345.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Rechnung.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Shipping_Doc.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Purchase_Order16-122020.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eHblVSJaQa1.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        FspMzSMtYA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        New Po #0126733 2021.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        530000.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Bitcoin Mining 2021 Feb.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        MT SC GUANGZHOU.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        MT WOOJIN CHEMS V.2103.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        EOrg2020.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Bitcoin Mining 2021 Feb.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        AZjP1E0nRZ.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        x0yccMVTIb.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        WHz0D1UERA.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        1i0Bvmiuqg.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        OC 136584.PDF.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Quote_13940007.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220
                                                                                                        8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                                                                        • 149.154.167.220

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Drivers.exe.log
                                                                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):706
                                                                                                        Entropy (8bit):5.342604339328228
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9px
                                                                                                        MD5:3A72FBECA73A61C00EECBDEC37EAD411
                                                                                                        SHA1:E2330F7B3182A857BB477B2492DDECC2A8488211
                                                                                                        SHA-256:2D4310C4AB9ADEFD6169137CD8973D23D779EDD968B8B39DBC072BF888D0802C
                                                                                                        SHA-512:260EBFB3045513A0BA14751A6B67C95CDA83DD122DC8510EF89C9C42C19F076C8C40645E0795C15ADDF57DB65513DD73EB3C5D0C883C6FB1C34165BE35AE3889
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order.exe.log
                                                                                                        Process:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):706
                                                                                                        Entropy (8bit):5.342604339328228
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9px
                                                                                                        MD5:3A72FBECA73A61C00EECBDEC37EAD411
                                                                                                        SHA1:E2330F7B3182A857BB477B2492DDECC2A8488211
                                                                                                        SHA-256:2D4310C4AB9ADEFD6169137CD8973D23D779EDD968B8B39DBC072BF888D0802C
                                                                                                        SHA-512:260EBFB3045513A0BA14751A6B67C95CDA83DD122DC8510EF89C9C42C19F076C8C40645E0795C15ADDF57DB65513DD73EB3C5D0C883C6FB1C34165BE35AE3889
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8003
                                                                                                        Entropy (8bit):4.839308921501875
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                                        MD5:937C6E940577634844311E349BD4614D
                                                                                                        SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                                                                        SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                                                                        SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):19640
                                                                                                        Entropy (8bit):5.572484966310125
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:2t9+Xm2S0uuaR30+biRISBKn7ul9bpaeQ9QRbp2cQwpPTDwiqWJI5jw:q6aR3P/4K7ulDat9qoRgszWJl
                                                                                                        MD5:82FF6947CCC8C0CD577C594B9F9804D9
                                                                                                        SHA1:8F4B30A204F6769EE80AD43A37621C0020EBAE76
                                                                                                        SHA-256:3FBA5040D96FCC73B0BB50A535B7F8ACB0C66592072A6625684CD556C763E8AD
                                                                                                        SHA-512:AB54A229F3030EE75B65326A65D35D6AB89D3FDAFA6AF732453196896AF0DB4A9B3AC99958A836110633A69A3C4B5FB77038A80D9340E0666817AF6AD30ED596
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview: @...e.....................'.g.T.T...Z...'.r..........@..........H...............<@.^.L."My...:?..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)V.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00vk02bh.l3e.psm1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdd0wdgo.1sf.ps1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3u3tnr4.sav.ps1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4ubbksp.mot.psm1
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:very short file (no magic)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:U:U
                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                        Malicious:false
                                                                                                        Preview: 1
                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):544256
                                                                                                        Entropy (8bit):7.296683876210466
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:+cQS8AfwkDQl5YClyDAPxxJ/sRP7S0wvGtf:+cn8AfwDl5YClrxj/t0w+t
                                                                                                        MD5:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        SHA1:8919195923883F3842FF78210AB6C6C1E448A10B
                                                                                                        SHA-256:DF61B9C866C5CEB278E173814DDF975B70B5B2E9FCBC5B482326E4163C2E1086
                                                                                                        SHA-512:4055EA00FDF72A82C2D75D7C2DFECDA9E4011708380A493FD6597015779247A03B12262DDA618A88C6AF0EC7447132322C675F1F27A16885CB78DB9728986BD1
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 28%
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6`..............0.................. ........@.. ....................................@.....................................W.......B............................................................................ ............... ..H............text........ ...................... ..`.rsrc...B...........................@..@.reloc...............L..............@..B........................H............0......3...T9..Vf............................................(.......(....}.....(............s....('....*.(,........*".(.....*6.{....o.....*.s.........*.(/....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..r...p}......(J...}.....r...p}.......W...%..,.}.....(.....*.......%.(K...(L....%.r?..p.%.(.....%.r...p.(M........*..{....*"..}....*^..}.....(a......(&....*^...ob...(!......(c....*6.~....(,...&*.(E...r_..p(.........~....~.
                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe:Zone.Identifier
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):26
                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                        Malicious:true
                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                        C:\Users\user\Documents\20210225\PowerShell_transcript.899552.84Dp3uuP.20210225074538.txt
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1201
                                                                                                        Entropy (8bit):5.161841529627427
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:BxSAc7vBVLazx2DOXCgQRabuVM5fWOHjeTKKjX4CIym1ZJXuRabuVM5XnxSAZS:BZwvTL0oOduA+OqDYB1ZJuA3ZZS
                                                                                                        MD5:0DFD33867C55121FFE904CB48324BA7C
                                                                                                        SHA1:EC28CEA1FF2C1903454BE114B1A45601A7F2841A
                                                                                                        SHA-256:26C4FBB8EE86ADC508CCCDE90E9AE3A07AFA06FB9B53F03E33B9AEA905377334
                                                                                                        SHA-512:53D88A52E40DEEB49B40192C2C5BE05778C8CB38F4F8DD37D58E780C37D889C87FE7BF0D868AEF7E3FD5BE0F06AABC65B3490433FBE6F414E363B9C283C463CB
                                                                                                        Malicious:false
                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225074553..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 899552 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..Process ID: 7128..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225074554..**********************..PS>Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..************
                                                                                                        C:\Users\user\Documents\20210225\PowerShell_transcript.899552.Nq+y45_q.20210225074621.txt
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3951
                                                                                                        Entropy (8bit):5.314377925178523
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:BZETL0NlEWqDo1ZKE9ZTTL0NlEWqDo1ZGZxY6HY6HU6vZe:u
                                                                                                        MD5:2E00D0DF7C077195D4F75EC25FBF7D17
                                                                                                        SHA1:FFCA4D5ACB27279BDCED9E75D14BA26213B44D7B
                                                                                                        SHA-256:68AE9A540AF7F57822E45679F3AA45DFB8BF7F1D1DE60FBC535C8D31F11FA637
                                                                                                        SHA-512:8BE5D910DDAEEA0C787359E2C969F0295F0112BEB2C974D295651949B2FD5110879AD913015519982455574DD83BF824C0365E583165555AA087B25BE7FEB96B
                                                                                                        Malicious:false
                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225074643..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 899552 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..Process ID: 7032..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225074643..**********************..PS>Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\eng

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.296683876210466
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                        File name:Purchase order.exe
                                                                                                        File size:544256
                                                                                                        MD5:98be4d3bb2053810801fadeb32884acd
                                                                                                        SHA1:8919195923883f3842ff78210ab6c6c1e448a10b
                                                                                                        SHA256:df61b9c866c5ceb278e173814ddf975b70b5b2e9fcbc5b482326e4163c2e1086
                                                                                                        SHA512:4055ea00fdf72a82c2d75d7c2dfecda9e4011708380a493fd6597015779247a03b12262dda618a88c6af0ec7447132322c675f1f27a16885cb78db9728986bd1
                                                                                                        SSDEEP:12288:+cQS8AfwkDQl5YClyDAPxxJ/sRP7S0wvGtf:+cn8AfwDl5YClrxj/t0w+t
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............0.................. ........@.. ....................................@................................

                                                                                                        File Icon

                                                                                                        Icon Hash:c29ae2e8b9b88670

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x46d0fe
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                        Time Stamp:0x60369DF3 [Wed Feb 24 18:41:55 2021 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6d0a40x57.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x19642.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x6b1040x6b200False0.942199350933data7.98094912825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x6e0000x196420x19800False0.0767176011029data1.97122010304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x880000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        RT_ICON0x6e2200x98fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                        RT_ICON0x6ebb00x10828dBase III DBT, version number 0, next free block index 40
                                                                                                        RT_ICON0x7f3d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                                                        RT_ICON0x836000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                                                        RT_ICON0x85ba80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                                        RT_ICON0x86c500x468GLS_BINARY_LSB_FIRST
                                                                                                        RT_GROUP_ICON0x870b80x5adata
                                                                                                        RT_VERSION0x871140x344data
                                                                                                        RT_MANIFEST0x874580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Version Infos

                                                                                                        DescriptionData
                                                                                                        Translation0x0000 0x04b0
                                                                                                        LegalCopyright
                                                                                                        Assembly Version16.0.0.0
                                                                                                        InternalNamePOWERPNT.exe
                                                                                                        FileVersion16.0.0.0
                                                                                                        CompanyNameMicrosoft Corporation
                                                                                                        CommentsMicrosoft PowerPoint
                                                                                                        ProductNameMicrosoft Office 2016
                                                                                                        ProductVersion16.0.0.0
                                                                                                        FileDescriptionPOWERPNT
                                                                                                        OriginalFilenamePOWERPNT.exe

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Feb 25, 2021 07:47:37.818101883 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:37.869913101 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:37.870048046 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.054549932 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.109113932 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.110987902 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111008883 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111023903 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111037016 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.111148119 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.112062931 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.112078905 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.112287045 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.120388031 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.174921989 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.223704100 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.865050077 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:38.925525904 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:38.928488016 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:39.025962114 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.538077116 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.583225965 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:39.931586027 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:39.982371092 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.982395887 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:39.982677937 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:40.033467054 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:40.424951077 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:40.429474115 CET49748443192.168.2.6149.154.167.220
                                                                                                        Feb 25, 2021 07:47:40.480272055 CET44349748149.154.167.220192.168.2.6
                                                                                                        Feb 25, 2021 07:47:40.480581045 CET49748443192.168.2.6149.154.167.220

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Feb 25, 2021 07:45:27.833833933 CET5451353192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:27.882523060 CET53545138.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:28.249928951 CET6204453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:28.322299004 CET53620448.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:29.272773027 CET6379153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:29.324351072 CET53637918.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:30.477871895 CET6426753192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:30.526504040 CET53642678.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:31.658081055 CET4944853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:31.712163925 CET53494488.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:33.108897924 CET6034253192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:33.159143925 CET53603428.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:33.992043018 CET6134653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:34.042870998 CET53613468.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:58.763430119 CET5177453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:58.815009117 CET53517748.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:45:59.649032116 CET5602353192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:45:59.697731018 CET53560238.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:00.453399897 CET5838453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:00.502321005 CET53583848.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:02.654409885 CET6026153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:02.703193903 CET53602618.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:03.897804976 CET5606153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:03.952090979 CET53560618.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:04.880928993 CET5833653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:04.931982040 CET53583368.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:05.839903116 CET5378153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:05.889086008 CET53537818.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:07.119414091 CET5406453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:07.179316044 CET53540648.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:08.293875933 CET5281153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:08.342838049 CET53528118.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:17.447737932 CET5529953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:17.500386000 CET53552998.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:18.552854061 CET6374553192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:18.602615118 CET53637458.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:19.561132908 CET5005553192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:19.610884905 CET53500558.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:21.826067924 CET6137453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:21.883124113 CET53613748.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:24.523447990 CET5033953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:24.572088957 CET53503398.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:32.903569937 CET6330753192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:33.915173054 CET6330753192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:33.974131107 CET53633078.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:34.741507053 CET4969453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:34.800889015 CET53496948.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:35.554100990 CET5498253192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:35.572737932 CET5001053192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:35.614238024 CET53549828.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:35.629693985 CET53500108.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:35.657224894 CET6371853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:35.717067957 CET53637188.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:36.573292971 CET6211653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:36.633711100 CET53621168.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:37.389599085 CET6381653192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:37.449058056 CET53638168.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:38.372221947 CET5501453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:38.422899008 CET53550148.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:39.503551960 CET6220853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:39.553471088 CET53622088.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:41.097889900 CET5757453192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:41.149591923 CET53575748.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:42.437510014 CET5181853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:42.496706963 CET53518188.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:43.218672037 CET5662853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:43.278783083 CET53566288.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:53.585944891 CET6077853192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:53.646032095 CET53607788.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:46:54.289232969 CET5379953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:46:54.338109970 CET53537998.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:08.816586971 CET5468353192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:08.879374981 CET53546838.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:10.785978079 CET5932953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:10.837296963 CET53593298.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:12.237906933 CET6402153192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:12.312980890 CET53640218.8.8.8192.168.2.6
                                                                                                        Feb 25, 2021 07:47:37.528059959 CET5612953192.168.2.68.8.8.8
                                                                                                        Feb 25, 2021 07:47:37.584954023 CET53561298.8.8.8192.168.2.6

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Feb 25, 2021 07:47:37.528059959 CET192.168.2.68.8.8.80x7e5Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Feb 25, 2021 07:46:53.646032095 CET8.8.8.8192.168.2.60x3d85No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Feb 25, 2021 07:47:37.584954023 CET8.8.8.8192.168.2.60x7e5No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                        HTTPS Packets

                                                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                        Feb 25, 2021 07:47:38.112062931 CET149.154.167.220443192.168.2.649748CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                        CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                        CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                        OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                                                        Code Manipulations

                                                                                                        Statistics

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        Analysis Process: Purchase order.exe PID: 7072 Parent PID: 6140

                                                                                                        General

                                                                                                        Start time:07:45:34
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\Desktop\Purchase order.exe'
                                                                                                        Imagebase:0xd20000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000002.00000002.337349475.00000000057B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000002.00000002.334741254.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000003.324926849.0000000001303000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Analysis Process: powershell.exe PID: 7128 Parent PID: 7072

                                                                                                        General

                                                                                                        Start time:07:45:36
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Purchase order.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                                                                                        Imagebase:0xd30000
                                                                                                        File size:430592 bytes
                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:high

                                                                                                        Analysis Process: conhost.exe PID: 7144 Parent PID: 7128

                                                                                                        General

                                                                                                        Start time:07:45:36
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff61de10000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: Purchase order.exe PID: 5132 Parent PID: 7072

                                                                                                        General

                                                                                                        Start time:07:45:37
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Imagebase:0x1f0000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low

                                                                                                        Analysis Process: Purchase order.exe PID: 2040 Parent PID: 7072

                                                                                                        General

                                                                                                        Start time:07:45:38
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\Desktop\Purchase order.exe
                                                                                                        Imagebase:0xf90000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.592269588.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.599811556.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Analysis Process: Drivers.exe PID: 5988 Parent PID: 3440

                                                                                                        General

                                                                                                        Start time:07:46:14
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                                                                                        Imagebase:0x10000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.423935619.0000000003529000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000003.412342681.0000000000756000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.429837387.0000000004B20000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 28%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        Analysis Process: powershell.exe PID: 7032 Parent PID: 5988

                                                                                                        General

                                                                                                        Start time:07:46:17
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                                                                                        Imagebase:0xd30000
                                                                                                        File size:430592 bytes
                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:high

                                                                                                        Analysis Process: conhost.exe PID: 7120 Parent PID: 7032

                                                                                                        General

                                                                                                        Start time:07:46:17
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff61de10000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: Drivers.exe PID: 4924 Parent PID: 5988

                                                                                                        General

                                                                                                        Start time:07:46:19
                                                                                                        Start date:25/02/2021
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                                                                                        Imagebase:0x800000
                                                                                                        File size:544256 bytes
                                                                                                        MD5 hash:98BE4D3BB2053810801FADEB32884ACD
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.597984590.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.592230208.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        Reputation:low

                                                                                                        Disassembly

                                                                                                        Code Analysis

                                                                                                        Reset < >