Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order-568149.exe

Overview

General Information

Sample Name:Purchase Order-568149.exe
Analysis ID:458886
MD5:83f1afd58bf104cb33facc556d7bae89
SHA1:4d57ea68149da873d3da6de49241d1cd33f1b3f3
SHA256:f0a5918de0509be93ffa64be5e74942989fa8acd94b34b6659f479d22abab0ca
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Purchase Order-568149.exe (PID: 3452 cmdline: 'C:\Users\user\Desktop\Purchase Order-568149.exe' MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
    • schtasks.exe (PID: 2520 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase Order-568149.exe (PID: 2796 cmdline: C:\Users\user\Desktop\Purchase Order-568149.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
      • schtasks.exe (PID: 5012 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp8013.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Purchase Order-568149.exe (PID: 3916 cmdline: C:\Users\user\Desktop\Purchase Order-568149.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
      • Purchase Order-568149.exe (PID: 3728 cmdline: C:\Users\user\Desktop\Purchase Order-568149.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
  • YYtJku.exe (PID: 5800 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
    • schtasks.exe (PID: 5788 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp31EE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • YYtJku.exe (PID: 4788 cmdline: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
      • schtasks.exe (PID: 4700 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp51AB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • YYtJku.exe (PID: 4752 cmdline: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
  • YYtJku.exe (PID: 5964 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
    • schtasks.exe (PID: 2944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5526.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • YYtJku.exe (PID: 3120 cmdline: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
      • schtasks.exe (PID: 4872 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp75EC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • YYtJku.exe (PID: 5864 cmdline: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe MD5: 83F1AFD58BF104CB33FACC556D7BAE89)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000002.598185480.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000026.00000002.598185480.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Purchase Order-568149.exe.4097118.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Purchase Order-568149.exe.4097118.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                7.2.Purchase Order-568149.exe.4097118.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  7.2.Purchase Order-568149.exe.4097118.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    11.2.Purchase Order-568149.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\RQqbzWGR.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\TxWUEITvoDwYs.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Purchase Order-568149.exeJoe Sandbox ML: detected
                      Source: 11.2.Purchase Order-568149.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Purchase Order-568149.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Purchase Order-568149.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h7_2_06D95748
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h7_2_06D96691
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h7_2_06D966A0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h7_2_06D95738
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_03563098
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_03564A98
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_03564A89
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_03563096
                      Source: Purchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpString found in binary or memory: http://flUPyp.com
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.335107574.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Purchase Order-568149.exe, 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.388057190.0000000002B41000.00000004.00000001.sdmp, YYtJku.exe, 00000014.00000002.485090142.00000000039F8000.00000004.00000001.sdmp, YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Purchase Order-568149.exe, 00000000.00000003.340362356.0000000006283000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.340187214.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Purchase Order-568149.exe, 00000000.00000003.338887957.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com(
                      Source: Purchase Order-568149.exe, 00000000.00000003.339169323.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-g
                      Source: Purchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-s(9
                      Source: Purchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                      Source: Purchase Order-568149.exe, 00000000.00000003.339169323.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comX
                      Source: Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
                      Source: Purchase Order-568149.exe, 00000000.00000003.339207360.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                      Source: Purchase Order-568149.exe, 00000000.00000003.339169323.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                      Source: Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
                      Source: Purchase Order-568149.exe, 00000000.00000003.339041249.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comkf
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Purchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncyI)
                      Source: Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: Purchase Order-568149.exe, 00000000.00000003.339041249.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comopsz
                      Source: Purchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comuct
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Purchase Order-568149.exe, 00000000.00000003.343752332.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers%
                      Source: Purchase Order-568149.exe, 00000000.00000003.343351772.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Purchase Order-568149.exe, 00000000.00000003.343351772.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/(
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Purchase Order-568149.exe, 00000000.00000003.344360147.000000000629E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Purchase Order-568149.exe, 00000000.00000003.343958618.000000000629E000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.344056196.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Purchase Order-568149.exe, 00000000.00000003.344384695.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers1
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Purchase Order-568149.exe, 00000000.00000003.343710141.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Purchase Order-568149.exe, 00000000.00000003.343351772.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                      Source: Purchase Order-568149.exe, 00000000.00000003.344536866.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: Purchase Order-568149.exe, 00000000.00000003.343972634.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: Purchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Purchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceta
                      Source: Purchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: Purchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comueto
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Purchase Order-568149.exe, 00000000.00000003.337312703.0000000006282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Purchase Order-568149.exe, 00000000.00000003.338172221.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/a
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Purchase Order-568149.exe, 00000000.00000003.337201985.0000000006282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ef1H
                      Source: Purchase Order-568149.exe, 00000000.00000003.338172221.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                      Source: Purchase Order-568149.exe, 00000000.00000003.338022670.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
                      Source: Purchase Order-568149.exe, 00000000.00000003.338340603.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnadeB8
                      Source: Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnarkp9
                      Source: Purchase Order-568149.exe, 00000000.00000003.338340603.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
                      Source: Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl9
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.347259856.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.346410625.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.337071254.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Purchase Order-568149.exe, 00000000.00000003.343581227.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.342502988.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.333996874.0000000006262000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Purchase Order-568149.exe, 00000000.00000003.333996874.0000000006262000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comau
                      Source: Purchase Order-568149.exe, 00000000.00000003.333996874.0000000006262000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                      Source: Purchase Order-568149.exe, 00000000.00000003.340362356.0000000006283000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Purchase Order-568149.exe, 00000000.00000003.340229745.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com(
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Purchase Order-568149.exe, 00000000.00000003.337071254.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-un(
                      Source: Purchase Order-568149.exe, 00000000.00000003.337071254.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-usur-(
                      Source: YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com:
                      Source: Purchase Order-568149.exe, 00000000.00000003.338400000.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comb3
                      Source: Purchase Order-568149.exe, 00000000.00000003.338400000.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms89k3
                      Source: Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Purchase Order-568149.exe, 00000000.00000003.344663261.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Purchase Order-568149.exe, 00000000.00000003.343184556.0000000006283000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deld
                      Source: Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Purchase Order-568149.exe, 00000000.00000003.338649193.0000000006280000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnC
                      Source: Purchase Order-568149.exe, 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, Purchase Order-568149.exe, 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Purchase Order-568149.exe, 00000000.00000002.367573207.00000000015A8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase Order-568149.exe
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAB6730_2_00CAB673
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_0184C27C0_2_0184C27C
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_0184EC480_2_0184EC48
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_0184EC580_2_0184EC58
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAB6C00_2_00CAB6C0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065B6737_2_0065B673
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_02B0C2B07_2_02B0C2B0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_02B099907_2_02B09990
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D932887_2_06D93288
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D95C487_2_06D95C48
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D94B077_2_06D94B07
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D925D87_2_06D925D8
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D925CA7_2_06D925CA
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D922707_2_06D92270
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D9323C7_2_06D9323C
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D930877_2_06D93087
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D92C9A7_2_06D92C9A
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065B6C07_2_0065B6C0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AB67310_2_003AB673
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AB6C010_2_003AB6C0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_0079B67311_2_0079B673
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_00E426C011_2_00E426C0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_00E4208811_2_00E42088
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_00E4798011_2_00E47980
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_05EA754011_2_05EA7540
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_05EA94F811_2_05EA94F8
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_05EA692811_2_05EA6928
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_05EA6C7011_2_05EA6C70
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_0079B6C011_2_0079B6C0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_00F7B67320_2_00F7B673
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356264020_2_03562640
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_03560EC020_2_03560EC0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356115220_2_03561152
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356359820_2_03563598
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356008820_2_03560088
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_035627EB20_2_035627EB
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356263020_2_03562630
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_03560AD820_2_03560AD8
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_03560AE820_2_03560AE8
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_03560EAF20_2_03560EAF
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356110320_2_03561103
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_0356007820_2_03560078
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_035610F720_2_035610F7
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_035CC27C20_2_035CC27C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_035CEC5820_2_035CEC58
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_035CEC4820_2_035CEC48
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 20_2_00F7B6C020_2_00F7B6C0
                      Source: Purchase Order-568149.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: RQqbzWGR.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TxWUEITvoDwYs.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Purchase Order-568149.exe, 00000000.00000002.366937225.0000000000E42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultBind.exe2 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000000.00000002.371167093.0000000004219000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoreElement.dllB vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000000.00000002.368027608.0000000003211000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000000.00000002.382480419.000000000EBF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIterat.exe6 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000000.00000002.381807418.0000000007D30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000000.00000002.381807418.0000000007D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.395732429.0000000006FC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoreElement.dllB vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOAjkwywGgDZRPlpDvXYAZcNpbuMAeyPX.exe4 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.398144304.000000000E370000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.386573397.00000000007F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultBind.exe2 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.388057190.0000000002B41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.395571592.0000000006D00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.386040104.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIterat.exe6 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.398516578.000000000E460000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 00000007.00000002.398516578.000000000E460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 0000000A.00000002.383597284.0000000000542000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultBind.exe2 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 0000000B.00000003.435818261.00000000064F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefaultBind.exe2 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 0000000B.00000002.602229842.00000000010CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exe, 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameOAjkwywGgDZRPlpDvXYAZcNpbuMAeyPX.exe4 vs Purchase Order-568149.exe
                      Source: Purchase Order-568149.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Purchase Order-568149.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: RQqbzWGR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: TxWUEITvoDwYs.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@31/11@0/0
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile created: C:\Users\user\AppData\Roaming\RQqbzWGR.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1676:120:WilError_01
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeMutant created: \Sessions\1\BaseNamedObjects\XHreRguTKPVHTcWBiISLJQIUy
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeMutant created: \Sessions\1\BaseNamedObjects\OCgTDpZUOzlrmFcbIEUognwVzHx
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5CCB.tmpJump to behavior
                      Source: Purchase Order-568149.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile read: C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe 'C:\Users\user\Desktop\Purchase Order-568149.exe'
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exe
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp8013.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exe
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp31EE.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp51AB.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5526.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp75EC.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp8013.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp31EE.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5526.tmp'
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Purchase Order-568149.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Purchase Order-568149.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Purchase Order-568149.exeStatic file information: File size 1958400 > 1048576
                      Source: Purchase Order-568149.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x19ec00
                      Source: Purchase Order-568149.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAC9C6 push es; ret 0_2_00CACB53
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAB673 push es; iretd 0_2_00CAC833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAB673 push es; retf 0_2_00CAC973
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAB673 push es; retf 0001h0_2_00CAC9C3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAC976 push es; retf 0001h0_2_00CAC9C3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAC976 push es; ret 0_2_00CACB53
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAC976 push es; retn 0001h0_2_00CACBA3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAC836 push es; retf 0_2_00CAC973
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_0184C25C push ebx; iretd 0_2_0184DCE8
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 0_2_00CAB6C0 push es; iretd 0_2_00CAC833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065C976 push es; retf 0001h7_2_0065C9C3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065C976 push es; ret 7_2_0065CB53
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065C976 push es; retn 0001h7_2_0065CBA3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065B673 push es; iretd 7_2_0065C833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065B673 push es; retf 7_2_0065C973
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065B673 push es; retf 0001h7_2_0065C9C3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065C9C6 push es; ret 7_2_0065CB53
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065C836 push es; retf 7_2_0065C973
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_06D94529 push es; ret 7_2_06D9452C
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 7_2_0065B6C0 push es; iretd 7_2_0065C833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AC836 push es; retf 10_2_003AC973
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AB673 push es; iretd 10_2_003AC833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AB673 push es; retf 10_2_003AC973
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AB673 push es; retf 0001h10_2_003AC9C3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AC976 push es; retf 0001h10_2_003AC9C3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AC976 push es; ret 10_2_003ACB53
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AC976 push es; retn 0001h10_2_003ACBA3
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AC9C6 push es; ret 10_2_003ACB53
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 10_2_003AB6C0 push es; iretd 10_2_003AC833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_0079B673 push es; iretd 11_2_0079C833
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_0079B673 push es; retf 11_2_0079C973
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.43251327113
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.43251327113
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.43251327113
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile created: C:\Users\user\AppData\Roaming\RQqbzWGR.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile created: C:\Users\user\AppData\Roaming\TxWUEITvoDwYs.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp'
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeFile opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\purchase order-568149.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG593.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.485090142.00000000039F8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.389374922.0000000002CCB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.507876380.000000000313B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.530832386.0000000002E8B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 3452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 2796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: YYtJku.exe PID: 5800, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: YYtJku.exe PID: 5964, type: MEMORYSTR
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Purchase Order-568149.exe, 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.389374922.0000000002CCB000.00000004.00000001.sdmp, YYtJku.exe, 00000014.00000002.485090142.00000000039F8000.00000004.00000001.sdmp, YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Purchase Order-568149.exe, 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.389374922.0000000002CCB000.00000004.00000001.sdmp, YYtJku.exe, 00000014.00000002.485090142.00000000039F8000.00000004.00000001.sdmp, YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeWindow / User API: threadDelayed 2315Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeWindow / User API: threadDelayed 7509Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 5116Thread sleep time: -45597s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 1676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 2944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 2996Thread sleep time: -44519s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 6112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 1428Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 6092Thread sleep count: 2315 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exe TID: 6092Thread sleep count: 7509 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 1180Thread sleep time: -46615s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 1208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 160Thread sleep time: -45036s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 5084Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 45597Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 44519Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeThread delayed: delay time: 46615Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeThread delayed: delay time: 45036
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeThread delayed: delay time: 922337203685477
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeMemory written: C:\Users\user\Desktop\Purchase Order-568149.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeMemory written: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp8013.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeProcess created: C:\Users\user\Desktop\Purchase Order-568149.exe C:\Users\user\Desktop\Purchase Order-568149.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp31EE.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5526.tmp'
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                      Source: Purchase Order-568149.exe, 0000000B.00000002.603762841.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Purchase Order-568149.exe, 0000000B.00000002.603762841.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Purchase Order-568149.exe, 0000000B.00000002.603762841.00000000017E0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: Purchase Order-568149.exe, 0000000B.00000002.603762841.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Users\user\Desktop\Purchase Order-568149.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Users\user\Desktop\Purchase Order-568149.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Users\user\Desktop\Purchase Order-568149.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeCode function: 11_2_05EA5A94 GetUserNameW,11_2_05EA5A94
                      Source: C:\Users\user\Desktop\Purchase Order-568149.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Purchase Order-568149.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000002.598185480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.508939445.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.531888040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.532092035.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Purchase Order-568149.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000002.598185480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.534207438.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.508939445.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.603696462.0000000003291000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.531888040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.532092035.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 2796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 3728, type: MEMORYSTR
                      Source: Yara matchFile source: 00000021.00000002.534207438.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.603696462.0000000003291000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 3728, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Purchase Order-568149.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000002.598185480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.508939445.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.531888040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.532092035.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Purchase Order-568149.exe.4097118.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Purchase Order-568149.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000002.598185480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.534207438.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.508939445.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.603696462.0000000003291000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.531888040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.532092035.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 2796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order-568149.exe PID: 3728, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading11Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery113Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458886 Sample: Purchase Order-568149.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 53 Yara detected AgentTesla 2->53 55 Yara detected AgentTesla 2->55 57 Yara detected AntiVM3 2->57 59 7 other signatures 2->59 8 Purchase Order-568149.exe 7 2->8         started        12 YYtJku.exe 5 2->12         started        14 YYtJku.exe 2->14         started        process3 file4 45 C:\Users\user\AppData\Roaming\RQqbzWGR.exe, PE32 8->45 dropped 47 C:\Users\...\RQqbzWGR.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp5CCB.tmp, XML 8->49 dropped 51 C:\Users\...\Purchase Order-568149.exe.log, ASCII 8->51 dropped 65 Injects a PE file into a foreign processes 8->65 16 Purchase Order-568149.exe 6 8->16         started        19 schtasks.exe 1 8->19         started        67 Machine Learning detection for dropped file 12->67 21 schtasks.exe 12->21         started        signatures5 process6 file7 37 C:\Users\user\AppData\...\TxWUEITvoDwYs.exe, PE32 16->37 dropped 39 C:\...\TxWUEITvoDwYs.exe:Zone.Identifier, ASCII 16->39 dropped 23 Purchase Order-568149.exe 2 5 16->23         started        27 schtasks.exe 1 16->27         started        29 Purchase Order-568149.exe 16->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        process8 file9 41 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 23->41 dropped 43 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 23->43 dropped 61 Moves itself to temp directory 23->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->63 35 conhost.exe 27->35         started        signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order-568149.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\RQqbzWGR.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\TxWUEITvoDwYs.exe100%Joe Sandbox ML

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      11.2.Purchase Order-568149.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.tiro.com:0%VirustotalBrowse
                      http://www.tiro.com:0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnarkp90%Avira URL Cloudsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.zhongyicts.com.cnC0%Avira URL Cloudsafe
                      http://www.urwpp.deld0%Avira URL Cloudsafe
                      http://www.tiro.coms89k30%Avira URL Cloudsafe
                      http://www.carterandcone.com-s(90%Avira URL Cloudsafe
                      http://www.carterandcone.comal0%URL Reputationsafe
                      http://www.founder.com.cn/cna-d0%URL Reputationsafe
                      http://www.sandoll.co.krn-un(0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.comceta0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com(0%Avira URL Cloudsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnl-g0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/ef1H0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/a0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://flUPyp.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.carterandcone.comuct0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.carterandcone.comncyI)0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      http://www.sajatypeworks.comt0%URL Reputationsafe
                      http://www.tiro.comslnt0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comX0%URL Reputationsafe
                      http://www.tiro.comb30%Avira URL Cloudsafe
                      http://www.fontbureau.comueto0%Avira URL Cloudsafe
                      http://www.carterandcone.comg0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cnl90%Avira URL Cloudsafe
                      http://www.carterandcone.comint0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.sakkal.com(0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.sandoll.co.krn-usur-(0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comau0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnadeB80%Avira URL Cloudsafe
                      http://www.carterandcone.comkf0%Avira URL Cloudsafe
                      http://www.carterandcone.com-g0%Avira URL Cloudsafe
                      http://www.carterandcone.comopsz0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.tiro.com:Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1Purchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnarkp9Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.comn-uPurchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnCPurchase Order-568149.exe, 00000000.00000003.338649193.0000000006280000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deldPurchase Order-568149.exe, 00000000.00000003.343184556.0000000006283000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.tiro.coms89k3Purchase Order-568149.exe, 00000000.00000003.338400000.0000000006280000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.com-s(9Purchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.carterandcone.comalPurchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersBPurchase Order-568149.exe, 00000000.00000003.343710141.000000000627B000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cna-dPurchase Order-568149.exe, 00000000.00000003.338022670.000000000627B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.krn-un(Purchase Order-568149.exe, 00000000.00000003.337071254.000000000627B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comYYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comcetaPurchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersYYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.337071254.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comPurchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.com(Purchase Order-568149.exe, 00000000.00000003.338887957.000000000627B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.carterandcone.com.Purchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.333996874.0000000006262000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThePurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.347259856.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.346410625.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.335107574.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnl-gPurchase Order-568149.exe, 00000000.00000003.338340603.0000000006280000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/ef1HPurchase Order-568149.exe, 00000000.00000003.337201985.0000000006282000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/aPurchase Order-568149.exe, 00000000.00000003.338172221.0000000006280000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasePurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://flUPyp.comPurchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cnaPurchase Order-568149.exe, 00000000.00000003.338172221.0000000006280000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.ascendercorp.com/typedesigners.htmlPurchase Order-568149.exe, 00000000.00000003.340362356.0000000006283000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.340187214.0000000006283000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comuctPurchase Order-568149.exe, 00000000.00000003.338801736.000000000627B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleasePurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.dePurchase Order-568149.exe, 00000000.00000003.344663261.0000000006288000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase Order-568149.exe, 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.388057190.0000000002B41000.00000004.00000001.sdmp, YYtJku.exe, 00000014.00000002.485090142.00000000039F8000.00000004.00000001.sdmp, YYtJku.exe, 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.como.Purchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designerspPurchase Order-568149.exe, 00000000.00000003.343351772.0000000006283000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comPurchase Order-568149.exe, 00000000.00000003.340362356.0000000006283000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase Order-568149.exe, 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, Purchase Order-568149.exe, 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comncyI)Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.fontbureau.com/designers/(Purchase Order-568149.exe, 00000000.00000003.343351772.0000000006283000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designerstPurchase Order-568149.exe, 00000000.00000003.343972634.000000000627B000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designerssPurchase Order-568149.exe, 00000000.00000003.344536866.000000000627B000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://DynDns.comDynDNSPurchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comFPurchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comdPurchase Order-568149.exe, 00000000.00000003.339207360.000000000627B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.comtPurchase Order-568149.exe, 00000000.00000003.333996874.0000000006262000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tiro.comslntPurchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase Order-568149.exe, 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comXPurchase Order-568149.exe, 00000000.00000003.339169323.000000000627B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tiro.comb3Purchase Order-568149.exe, 00000000.00000003.338400000.0000000006280000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.comuetoPurchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comgPurchase Order-568149.exe, 00000000.00000003.339169323.000000000627B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comlPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/Purchase Order-568149.exe, 00000000.00000003.337312703.0000000006282000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnl9Purchase Order-568149.exe, 00000000.00000003.338695199.0000000006280000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.comintPurchase Order-568149.exe, 00000000.00000003.339250764.000000000627B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnPurchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order-568149.exe, 00000000.00000003.343958618.000000000629E000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.344056196.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/cabarga.htmlPurchase Order-568149.exe, 00000000.00000003.344360147.000000000629E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.monotype.Purchase Order-568149.exe, 00000000.00000003.343581227.000000000627B000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000000.00000003.342502988.0000000006283000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sakkal.com(Purchase Order-568149.exe, 00000000.00000003.340229745.0000000006283000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.fontbureau.com/designers%Purchase Order-568149.exe, 00000000.00000003.343752332.000000000627B000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.commPurchase Order-568149.exe, 00000000.00000002.367870273.0000000001897000.00000004.00000040.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers8Purchase Order-568149.exe, 00000000.00000002.381165884.0000000007472000.00000004.00000001.sdmp, Purchase Order-568149.exe, 00000007.00000002.394788186.0000000005C00000.00000002.00000001.sdmp, YYtJku.exe, 00000014.00000002.497867827.00000000066E0000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krn-usur-(Purchase Order-568149.exe, 00000000.00000003.337071254.000000000627B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.fontbureau.com/designers1Purchase Order-568149.exe, 00000000.00000003.344384695.000000000627B000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.sajatypeworks.comauPurchase Order-568149.exe, 00000000.00000003.333996874.0000000006262000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/Purchase Order-568149.exe, 00000000.00000003.343351772.0000000006283000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cnadeB8Purchase Order-568149.exe, 00000000.00000003.338340603.0000000006280000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comkfPurchase Order-568149.exe, 00000000.00000003.339041249.000000000627B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.com-gPurchase Order-568149.exe, 00000000.00000003.339169323.000000000627B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comopszPurchase Order-568149.exe, 00000000.00000003.339041249.000000000627B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              Contacted IPs

                                                              No contacted IP infos

                                                              General Information

                                                              Joe Sandbox Version:33.0.0 White Diamond
                                                              Analysis ID:458886
                                                              Start date:03.08.2021
                                                              Start time:20:40:28
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 13m 59s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:Purchase Order-568149.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:42
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@31/11@0/0
                                                              EGA Information:Failed
                                                              HDC Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 98%
                                                              • Number of executed functions: 72
                                                              • Number of non-executed functions: 6
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              20:41:29API Interceptor578x Sleep call for process: Purchase Order-568149.exe modified
                                                              20:42:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YYtJku C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              20:42:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YYtJku C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              20:42:22API Interceptor133x Sleep call for process: YYtJku.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASN

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order-568149.exe.log
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYtJku.exe.log
                                                              Process:C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              C:\Users\user\AppData\Local\Temp\tmp31EE.tmp
                                                              Process:C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1653
                                                              Entropy (8bit):5.167460387336423
                                                              Encrypted:false
                                                              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Fbtn:cbha7JlNQV/rydbz9I3YODOLNdq3n5
                                                              MD5:0F0234C5E88A75551290F5AE18781C63
                                                              SHA1:95BCC8204FBBB833D17A76D18F5966A1BDBD0B49
                                                              SHA-256:5444BB2D5C248215AD57A7519EA1CD1726B2809A3BFC6C439483383416EC0B9A
                                                              SHA-512:B6BB6CF7DA41783FC9FC96AF57D846403EE4A4AB4CB4B2ACD1FD75E81CC008988B3C1D3A2B29A57ABF3EA38488AF4A47CC6C70DFD12A0F8B9F69BB029A447E33
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                              C:\Users\user\AppData\Local\Temp\tmp5526.tmp
                                                              Process:C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):0
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Fbtn:cbha7JlNQV/rydbz9I3YODOLNdq3n5
                                                              MD5:0F0234C5E88A75551290F5AE18781C63
                                                              SHA1:95BCC8204FBBB833D17A76D18F5966A1BDBD0B49
                                                              SHA-256:5444BB2D5C248215AD57A7519EA1CD1726B2809A3BFC6C439483383416EC0B9A
                                                              SHA-512:B6BB6CF7DA41783FC9FC96AF57D846403EE4A4AB4CB4B2ACD1FD75E81CC008988B3C1D3A2B29A57ABF3EA38488AF4A47CC6C70DFD12A0F8B9F69BB029A447E33
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                              C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1653
                                                              Entropy (8bit):5.167460387336423
                                                              Encrypted:false
                                                              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Fbtn:cbha7JlNQV/rydbz9I3YODOLNdq3n5
                                                              MD5:0F0234C5E88A75551290F5AE18781C63
                                                              SHA1:95BCC8204FBBB833D17A76D18F5966A1BDBD0B49
                                                              SHA-256:5444BB2D5C248215AD57A7519EA1CD1726B2809A3BFC6C439483383416EC0B9A
                                                              SHA-512:B6BB6CF7DA41783FC9FC96AF57D846403EE4A4AB4CB4B2ACD1FD75E81CC008988B3C1D3A2B29A57ABF3EA38488AF4A47CC6C70DFD12A0F8B9F69BB029A447E33
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                              C:\Users\user\AppData\Local\Temp\tmp8013.tmp
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):1658
                                                              Entropy (8bit):5.162387295213227
                                                              Encrypted:false
                                                              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Jtn:cbha7JlNQV/rydbz9I3YODOLNdq3Z
                                                              MD5:C273A4C55231177FD5797CC6408B118D
                                                              SHA1:E2150489D6EA72A4F8C5EC4BAA4A74B9AA26511F
                                                              SHA-256:AA5C261A8B2AF9FAF44C0687688AE84534BC157B116A2AC52D46A51108A29D21
                                                              SHA-512:D42A6703F685714EA6D057AAC239A82A45B9FB185AAC5B424F063149F5599FFA89DFB4AE72C0725B0175A9AD6D0E6E8A0FEA78391418CF222DE887B8E10EDF24
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                              C:\Users\user\AppData\Roaming\RQqbzWGR.exe
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1958400
                                                              Entropy (8bit):7.426284873219883
                                                              Encrypted:false
                                                              SSDEEP:49152:kMJyo1U3GlbQA1obnz3Mc7Dcd/k7AK1j:l9qSov3Mc7DX
                                                              MD5:83F1AFD58BF104CB33FACC556D7BAE89
                                                              SHA1:4D57EA68149DA873D3DA6DE49241D1CD33F1B3F3
                                                              SHA-256:F0A5918DE0509BE93FFA64BE5E74942989FA8ACD94B34B6659F479D22ABAB0CA
                                                              SHA-512:54DC3D6AAE0401EBE1DEE9F98FAA653127D93F5C0BFE2C86C68D4F97E468F344FDBE92F2BB0040A74CF486D1476AACE27974DA3C37507A85CA7F00DA76C187E0
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Reputation:unknown
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|.a..............P.................. ... ....@.. .......................@............@.................................X...O.... ....................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc....... ......................@..B........................H.......L....8......M...X..../............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........
                                                              C:\Users\user\AppData\Roaming\RQqbzWGR.exe:Zone.Identifier
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                              C:\Users\user\AppData\Roaming\TxWUEITvoDwYs.exe
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1958400
                                                              Entropy (8bit):7.426284873219883
                                                              Encrypted:false
                                                              SSDEEP:49152:kMJyo1U3GlbQA1obnz3Mc7Dcd/k7AK1j:l9qSov3Mc7DX
                                                              MD5:83F1AFD58BF104CB33FACC556D7BAE89
                                                              SHA1:4D57EA68149DA873D3DA6DE49241D1CD33F1B3F3
                                                              SHA-256:F0A5918DE0509BE93FFA64BE5E74942989FA8ACD94B34B6659F479D22ABAB0CA
                                                              SHA-512:54DC3D6AAE0401EBE1DEE9F98FAA653127D93F5C0BFE2C86C68D4F97E468F344FDBE92F2BB0040A74CF486D1476AACE27974DA3C37507A85CA7F00DA76C187E0
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Reputation:unknown
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|.a..............P.................. ... ....@.. .......................@............@.................................X...O.... ....................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc....... ......................@..B........................H.......L....8......M...X..../............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........
                                                              C:\Users\user\AppData\Roaming\TxWUEITvoDwYs.exe:Zone.Identifier
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                              C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1958400
                                                              Entropy (8bit):7.426284873219883
                                                              Encrypted:false
                                                              SSDEEP:49152:kMJyo1U3GlbQA1obnz3Mc7Dcd/k7AK1j:l9qSov3Mc7DX
                                                              MD5:83F1AFD58BF104CB33FACC556D7BAE89
                                                              SHA1:4D57EA68149DA873D3DA6DE49241D1CD33F1B3F3
                                                              SHA-256:F0A5918DE0509BE93FFA64BE5E74942989FA8ACD94B34B6659F479D22ABAB0CA
                                                              SHA-512:54DC3D6AAE0401EBE1DEE9F98FAA653127D93F5C0BFE2C86C68D4F97E468F344FDBE92F2BB0040A74CF486D1476AACE27974DA3C37507A85CA7F00DA76C187E0
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Reputation:unknown
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|.a..............P.................. ... ....@.. .......................@............@.................................X...O.... ....................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc....... ......................@..B........................H.......L....8......M...X..../............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........
                                                              C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier
                                                              Process:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: [ZoneTransfer]....ZoneId=0

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.426284873219883
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:Purchase Order-568149.exe
                                                              File size:1958400
                                                              MD5:83f1afd58bf104cb33facc556d7bae89
                                                              SHA1:4d57ea68149da873d3da6de49241d1cd33f1b3f3
                                                              SHA256:f0a5918de0509be93ffa64be5e74942989fa8acd94b34b6659f479d22abab0ca
                                                              SHA512:54dc3d6aae0401ebe1dee9f98faa653127d93f5c0bfe2c86c68d4f97e468f344fdbe92f2bb0040a74cf486d1476aace27974da3c37507a85ca7f00da76c187e0
                                                              SSDEEP:49152:kMJyo1U3GlbQA1obnz3Mc7Dcd/k7AK1j:l9qSov3Mc7DX
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|.a..............P.................. ... ....@.. .......................@............@................................

                                                              File Icon

                                                              Icon Hash:f0c2a07179b396e8

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x5a0aaa
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x61097C8D [Tue Aug 3 17:27:41 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1a0a580x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a20000x3f098.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e20000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x19eab00x19ec00False0.747485896059PGP symmetric key encrypted data - Plaintext or unencrypted data7.43251327113IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x1a20000x3f0980x3f200False0.744009127475data7.06543166408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1e20000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0x1a21e00x103e6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                              RT_ICON0x1b25d80x10318PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                              RT_ICON0x1c29000x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                              RT_ICON0x1d31380x94a8data
                                                              RT_ICON0x1dc5f00x25a8data
                                                              RT_ICON0x1deba80x10a8data
                                                              RT_ICON0x1dfc600x988data
                                                              RT_ICON0x1e05f80x468GLS_BINARY_LSB_FIRST
                                                              RT_GROUP_ICON0x1e0a700x76data
                                                              RT_VERSION0x1e0af80x3a0data
                                                              RT_MANIFEST0x1e0ea80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright Bloodknight Studios, Slayin
                                                              Assembly Version1.0.0.9
                                                              InternalNameDefaultBind.exe
                                                              FileVersion1.0.0.9
                                                              CompanyNameBloodknight Studios
                                                              LegalTrademarks
                                                              CommentsCharacter Stat Calc
                                                              ProductNameStatCalc
                                                              ProductVersion1.0.0.9
                                                              FileDescriptionAstonia Calc
                                                              OriginalFilenameDefaultBind.exe

                                                              Network Behavior

                                                              No network behavior found

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: Purchase Order-568149.exe PID: 3452 Parent PID: 5732

                                                              General

                                                              Start time:20:41:18
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\Purchase Order-568149.exe'
                                                              Imagebase:0xca0000
                                                              File size:1958400 bytes
                                                              MD5 hash:83F1AFD58BF104CB33FACC556D7BAE89
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.368950363.0000000003568000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: schtasks.exe PID: 2520 Parent PID: 3452

                                                              General

                                                              Start time:20:41:31
                                                              Start date:03/08/2021
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp5CCB.tmp'
                                                              Imagebase:0xa50000
                                                              File size:185856 bytes
                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 5668 Parent PID: 2520

                                                              General

                                                              Start time:20:41:32
                                                              Start date:03/08/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff61de10000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: Purchase Order-568149.exe PID: 2796 Parent PID: 3452

                                                              General

                                                              Start time:20:41:33
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Imagebase:0x650000
                                                              File size:1958400 bytes
                                                              MD5 hash:83F1AFD58BF104CB33FACC556D7BAE89
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.390113039.0000000003B49000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.389374922.0000000002CCB000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: schtasks.exe PID: 5012 Parent PID: 2796

                                                              General

                                                              Start time:20:41:41
                                                              Start date:03/08/2021
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TxWUEITvoDwYs' /XML 'C:\Users\user\AppData\Local\Temp\tmp8013.tmp'
                                                              Imagebase:0xa50000
                                                              File size:185856 bytes
                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 5824 Parent PID: 5012

                                                              General

                                                              Start time:20:41:42
                                                              Start date:03/08/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff61de10000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: Purchase Order-568149.exe PID: 3916 Parent PID: 2796

                                                              General

                                                              Start time:20:41:43
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Imagebase:0x3a0000
                                                              File size:1958400 bytes
                                                              MD5 hash:83F1AFD58BF104CB33FACC556D7BAE89
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: Purchase Order-568149.exe PID: 3728 Parent PID: 2796

                                                              General

                                                              Start time:20:41:44
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\Purchase Order-568149.exe
                                                              Imagebase:0x790000
                                                              File size:1958400 bytes
                                                              MD5 hash:83F1AFD58BF104CB33FACC556D7BAE89
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.596505185.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.604354638.0000000002D81000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: YYtJku.exe PID: 5800 Parent PID: 3440

                                                              General

                                                              Start time:20:42:18
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                                                              Imagebase:0xf70000
                                                              File size:1958400 bytes
                                                              MD5 hash:83F1AFD58BF104CB33FACC556D7BAE89
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.485090142.00000000039F8000.00000004.00000001.sdmp, Author: Joe Security
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: schtasks.exe PID: 5788 Parent PID: 5800

                                                              General

                                                              Start time:20:42:25
                                                              Start date:03/08/2021
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RQqbzWGR' /XML 'C:\Users\user\AppData\Local\Temp\tmp31EE.tmp'
                                                              Imagebase:0xa50000
                                                              File size:185856 bytes
                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 1676 Parent PID: 5788

                                                              General

                                                              Start time:20:42:25
                                                              Start date:03/08/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff61de10000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: YYtJku.exe PID: 5964 Parent PID: 3440

                                                              General

                                                              Start time:20:42:26
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                                                              Imagebase:0x990000
                                                              File size:1958400 bytes
                                                              MD5 hash:83F1AFD58BF104CB33FACC556D7BAE89
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000019.00000002.509309042.0000000003188000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Analysis Process: Purchase Order-568149.exe PID: 3452 Parent PID: 5732 Purchase Order-568149.exeCOMMON

                                                                Executed Functions

                                                                Function 0184BD70, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 0184BDD0
                                                                • GetCurrentThread.KERNEL32 ref: 0184BE0D
                                                                • GetCurrentProcess.KERNEL32 ref: 0184BE4A
                                                                • GetCurrentThreadId.KERNEL32 ref: 0184BEA3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 6509d43268899efad72e8b8ca636d8e92924a2ab8b6f257fc3725befdedcc229
                                                                • Instruction ID: 55c18dc735d095329e64a2b480466a410784b82d468c339e86ad4ea1a59dfec7
                                                                • Opcode Fuzzy Hash: 6509d43268899efad72e8b8ca636d8e92924a2ab8b6f257fc3725befdedcc229
                                                                • Instruction Fuzzy Hash: 3E5163B0D007488FDB54CFA9D548B9EBBF0BF88314F248459E119A7360CB759984CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01844514, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01845A81
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 2fa3ed53ece8a3b675d583de8221d68c49ffc5121c5361a17884e2527dbf76fd
                                                                • Instruction ID: bcc52504dcaa05c8b38f7d797d85294003ba4ca54fb741315fe062ac35588412
                                                                • Opcode Fuzzy Hash: 2fa3ed53ece8a3b675d583de8221d68c49ffc5121c5361a17884e2527dbf76fd
                                                                • Instruction Fuzzy Hash: 5541D071C0071DCBDB24CFA9C9847CEBBB5BF48308F21846AD419AB251DBB56945CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0184C398, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184C427
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 0c8f2facf3a7483a68479bd74a9fe01fe21837e60c584b787103f54c26d6178e
                                                                • Instruction ID: fc592672cd74d0a1af5df8f84146aec0637a27393e851188784b853a94948315
                                                                • Opcode Fuzzy Hash: 0c8f2facf3a7483a68479bd74a9fe01fe21837e60c584b787103f54c26d6178e
                                                                • Instruction Fuzzy Hash: 182100B5D01249DFDB10CFA9D984AEEBFF4EF48320F14841AE914A7210C374AA44CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0184C3A0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184C427
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: ab2dab67e03a582a225c5f71337cc7ce8d9713ae16ac8a217aeede08a6281080
                                                                • Instruction ID: c679ed02b32516d567b3127b6b8ed26741839afcfdb30fc21a31fec89fcf15ab
                                                                • Opcode Fuzzy Hash: ab2dab67e03a582a225c5f71337cc7ce8d9713ae16ac8a217aeede08a6281080
                                                                • Instruction Fuzzy Hash: 5221C4B5D012489FDB10CF99D584ADEBFF8EB48324F15841AE914A7310D774A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01848E18, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01849D49,00000800,00000000,00000000), ref: 01849F5A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 3985b52da04474b4677002c5fc618d59b714b956896fb5f799a9af474e4cea9a
                                                                • Instruction ID: a9c4e086dd7ff56117cce2d0da47683df8deb3fc9fdaba39d91ed121321638e0
                                                                • Opcode Fuzzy Hash: 3985b52da04474b4677002c5fc618d59b714b956896fb5f799a9af474e4cea9a
                                                                • Instruction Fuzzy Hash: 061103B6D002499FDB20CF9AC444ADEFBF4AB48324F05842AE919A7600C775AA45CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01849C68, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01849CCE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 943b363bd905b1e0df287b842b511c98f5aa0969e21fe3bc4ac60649c442ffc0
                                                                • Instruction ID: 91be191f9c6d0fc8f76f16266f47e88a8ebf75173741c053591787c5da32dd1f
                                                                • Opcode Fuzzy Hash: 943b363bd905b1e0df287b842b511c98f5aa0969e21fe3bc4ac60649c442ffc0
                                                                • Instruction Fuzzy Hash: DC1110B5D002498FDB20CF9AD444BDFFBF4AF88324F15851AD529A7600C778A645CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 00CAB673, Relevance: 2.5, Instructions: 2457COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.366619130.0000000000CA2000.00000002.00020000.sdmp, Offset: 00CA0000, based on PE: true
                                                                • Associated: 00000000.00000002.366601090.0000000000CA0000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000000.00000002.366937225.0000000000E42000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
                                                                • Instruction ID: 3b2f7fdab663e9515158c01ed6b7394d5bf718ef5b6a9a1b275d24abe7833b23
                                                                • Opcode Fuzzy Hash: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
                                                                • Instruction Fuzzy Hash: 8713E5A690E3C19FCB130B386DB52D5BFB19E27218B1E08C7C4C18E4A7D158199BDB67
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0184EC58, Relevance: .3, Instructions: 315COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b234eec66d3465bfb19c3f3d1003e671a7b192ae26eafdba279bbfbb44b38aa4
                                                                • Instruction ID: 22f45c0af7c0044c6aff6fc78760870d4f9f4f3220db174d4d27369e3ffa9db4
                                                                • Opcode Fuzzy Hash: b234eec66d3465bfb19c3f3d1003e671a7b192ae26eafdba279bbfbb44b38aa4
                                                                • Instruction Fuzzy Hash: E712A6F14117468BD330CF65F99858D3B61B7453AAF906308D2A16BAF9D7B8134ACF84
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0184C27C, Relevance: .3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d96f630c6b94352d7e86e8546acf3cda575187514d7fdd2d2f3ad8144ec6c49c
                                                                • Instruction ID: e3c73cd626efee5df6b4f0a7ec7035966b6d1a3ff9c3d59ad706449c3e433300
                                                                • Opcode Fuzzy Hash: d96f630c6b94352d7e86e8546acf3cda575187514d7fdd2d2f3ad8144ec6c49c
                                                                • Instruction Fuzzy Hash: F7A17C32E0061A8FCF15DFB9C8845DDBBB2FF95304B15856AE905EB261EF35AA05CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0184EC48, Relevance: .2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.367774889.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5649ba49eaee2f0b40df42ee88ced3044c08bb6241c28ef6154ec8256fef4c7
                                                                • Instruction ID: fabed807c04a209274f46ab18e6af1386dd4795a0f9a3a60e703ddd2746d98ee
                                                                • Opcode Fuzzy Hash: d5649ba49eaee2f0b40df42ee88ced3044c08bb6241c28ef6154ec8256fef4c7
                                                                • Instruction Fuzzy Hash: 26C13AB18117468BD730CF65F88818D3B71BB853A9F616308D2616FAF9D7B4168ACF84
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Analysis Process: Purchase Order-568149.exe PID: 2796 Parent PID: 3452 Purchase Order-568149.exeCOMMON

                                                                Executed Functions

                                                                Function 06D95748, Relevance: .1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5b149cd95ed38d84117180b32347441183fb86b64b881fb07292fe46c1ccae6
                                                                • Instruction ID: baceddb962e9d8858d6aa24d6cfa3bcd5608729a0a0f7eb0e9a989c8264b2f27
                                                                • Opcode Fuzzy Hash: d5b149cd95ed38d84117180b32347441183fb86b64b881fb07292fe46c1ccae6
                                                                • Instruction Fuzzy Hash: 36213734E25219DBDF56CFA5E844AEEBBF5AF49201F049436E405F3290E734CA44CAA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D95738, Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77582c028954d4ca3271db3c7c0ee5233720cb4446f90285ca043a4400f34ebd
                                                                • Instruction ID: 6ebe7488903618211df3fbafaa57ea3beb514905e4d79f2621b7e641d44966c6
                                                                • Opcode Fuzzy Hash: 77582c028954d4ca3271db3c7c0ee5233720cb4446f90285ca043a4400f34ebd
                                                                • Instruction Fuzzy Hash: 8E212774D222199BDF568BA4E9557EEBBF2AF09200F149825E401F3250DB74CA45CBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0BBC8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID: $m$$m
                                                                • API String ID: 4139908857-3340987849
                                                                • Opcode ID: e5d78e0cfeff816c6fad6b10dc888a745026ebf949df323eb8d617e1c0828ca2
                                                                • Instruction ID: 853644d09f4e9754a7b479f3224bf6752de2941c09b1361139b1704f14130647
                                                                • Opcode Fuzzy Hash: e5d78e0cfeff816c6fad6b10dc888a745026ebf949df323eb8d617e1c0828ca2
                                                                • Instruction Fuzzy Hash: 07712370A00B058FD725DF2AD08575ABBF1FF88308F008A6DD586D7A80DB35E8468F91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D9001D, Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D90276
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: bdac9eae49d27c8c6428173c4c770259301f08fe25f40f70ecee2697d6853039
                                                                • Instruction ID: 83fef5560a539319517078f6bf5dfc7492d5b6c136864e7e6008679062e51cd0
                                                                • Opcode Fuzzy Hash: bdac9eae49d27c8c6428173c4c770259301f08fe25f40f70ecee2697d6853039
                                                                • Instruction Fuzzy Hash: 83A18A71D00219CFDF50CFA8DC80BDEBBB2AF49304F1585A9E849A7290DB349985CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D90040, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D90276
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: 8ed0102c46e7ec594723fd74c693b35de6c0d1fe20b213bf683c104f490b86b6
                                                                • Instruction ID: a1260704762756d05ed5948bd8c981f42ad329e5b30a71fd6f98aa8d961ddf90
                                                                • Opcode Fuzzy Hash: 8ed0102c46e7ec594723fd74c693b35de6c0d1fe20b213bf683c104f490b86b6
                                                                • Instruction Fuzzy Hash: D0914871D00219DFDF50CFA8DC80BEEBAB2AF49314F1585A9D809A7240DB749985CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0DBE0, Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B0DD8A
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: daa72cacc4301916de25a701ba72bf83efb16e3ba26a39de0cfcc189c826c465
                                                                • Instruction ID: 1919bd3ae0ea6d62d8f5fbc38157a9b07fdd8fe6d0b560f7cc8108c9cedbf5a8
                                                                • Opcode Fuzzy Hash: daa72cacc4301916de25a701ba72bf83efb16e3ba26a39de0cfcc189c826c465
                                                                • Instruction Fuzzy Hash: 5B6112B2C04249AFCF12CFA8C990ADDBFB2FF49314F15819AE819AB261D7749945CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B0DD8A
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: b7ac0c8b52eab0770062178ebb07627dcd0e2d908e855806673107a0b5ea1a3f
                                                                • Instruction ID: f46295c79b7dcfd30800e6b3787e3e25907ec2e15d1f70556f28fe5820bc7ab0
                                                                • Opcode Fuzzy Hash: b7ac0c8b52eab0770062178ebb07627dcd0e2d908e855806673107a0b5ea1a3f
                                                                • Instruction Fuzzy Hash: AF51CFB1D003099FDB15CF99C884ADEBFB5FF48314F24826AE819AB250D7749945CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B06D41, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B06D7E,?,?,?,?,?), ref: 02B06E3F
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 98f30e5c17fca1cb00d4d20be82b5eb8294f195e3b77d9cfd75fd927eebe2d90
                                                                • Instruction ID: 72888810c15d2bff2e1ee7b236c81251ac175bc75d94e42feca9bf8b880b6915
                                                                • Opcode Fuzzy Hash: 98f30e5c17fca1cb00d4d20be82b5eb8294f195e3b77d9cfd75fd927eebe2d90
                                                                • Instruction Fuzzy Hash: 7C414876900248AFCF01CF99D884ADEBFF9EB48310F15805AFA14A7350D775A954DFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0B1F8, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02B0DEA8,?,?,?,?), ref: 02B0DF1D
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: LongWindow
                                                                • String ID:
                                                                • API String ID: 1378638983-0
                                                                • Opcode ID: 414ddef6d676982e0de60fdbf02d814e6a9a46910f0cf1b72f6990a7f50b4425
                                                                • Instruction ID: e4745e8e6347747505be821e4a93de752bd0c78d3b961bd5ae59e2c640954018
                                                                • Opcode Fuzzy Hash: 414ddef6d676982e0de60fdbf02d814e6a9a46910f0cf1b72f6990a7f50b4425
                                                                • Instruction Fuzzy Hash: 5131F6B28083498FCB01CF98C8957DEBFF4EF09314F05859AD445AB641D374A941CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B06924, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B06D7E,?,?,?,?,?), ref: 02B06E3F
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 97bcd0307efbc62bf58d792d6ab15c6559c787fec76dfc4a50e621e1fe380af1
                                                                • Instruction ID: 0c86c66dfb306738c8298a15ae8467293fd6b1a83c27681cd6ce4d977138c59b
                                                                • Opcode Fuzzy Hash: 97bcd0307efbc62bf58d792d6ab15c6559c787fec76dfc4a50e621e1fe380af1
                                                                • Instruction Fuzzy Hash: E92103B5900248AFDB10CFA9D984AEEBFF8EB48320F14805AE914A7350D774A954CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B06DB0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B06D7E,?,?,?,?,?), ref: 02B06E3F
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 95554007b856717e0a344474edb9c854a83babdacdfe84fde7dd0ae95ec59699
                                                                • Instruction ID: 20da96f65c036157ee4d69783f09268df1d91674f35f83da384e7939a49b9004
                                                                • Opcode Fuzzy Hash: 95554007b856717e0a344474edb9c854a83babdacdfe84fde7dd0ae95ec59699
                                                                • Instruction Fuzzy Hash: 492103B59002089FCB00CFA9D984ADEBBF8EF48324F15805AE914A7310D778A954CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B0BE89,00000800,00000000,00000000), ref: 02B0C09A
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 4f362faaaf52fdd5b28d1ad65f25ffc9d1570769dce0a90d466f6fcd5b1ebac7
                                                                • Instruction ID: a5ca1ba1b64b0012be63a9178cd5bc704bb601117a7e3c403c7e4622cf49c792
                                                                • Opcode Fuzzy Hash: 4f362faaaf52fdd5b28d1ad65f25ffc9d1570769dce0a90d466f6fcd5b1ebac7
                                                                • Instruction Fuzzy Hash: FE1130B2D002088FCB20CF9AC484B9EBFF4EB88324F01856AE815A7240C774A944CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0C028, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B0BE89,00000800,00000000,00000000), ref: 02B0C09A
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 7e931fd6962f5a40daabac3869400efaa246c9818b56fd5105bd50b404fbc83d
                                                                • Instruction ID: f297deeb640fe8897fa2672f6a31e83a55b3072b0853f05cead98095588e8330
                                                                • Opcode Fuzzy Hash: 7e931fd6962f5a40daabac3869400efaa246c9818b56fd5105bd50b404fbc83d
                                                                • Instruction Fuzzy Hash: 3E1130B6D002498FCB10CFA9C584BDEFBF4EB48324F15866AD455AB600C374A949CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D96988, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 06D969E8
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID: ChangeCloseFindNotification
                                                                • String ID:
                                                                • API String ID: 2591292051-0
                                                                • Opcode ID: 3b3c97b69d99538dfb7cbd1e1d1166083f63ff353b3e7c802ebc5b618b5bb9be
                                                                • Instruction ID: de674b9e56a821a8298345ece6f920339858a6b8b2e39ebb3e34f968c6478a9b
                                                                • Opcode Fuzzy Hash: 3b3c97b69d99538dfb7cbd1e1d1166083f63ff353b3e7c802ebc5b618b5bb9be
                                                                • Instruction Fuzzy Hash: E51155B28003499FCB50CF99C444BDEBBF4EF48320F11852AE868A7740C738AA44CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0B080, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02B0BBDB), ref: 02B0BE0E
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: ca7581e5387a221abea483650227445673008c569d96fe21290052ba913a4591
                                                                • Instruction ID: 4baa5dcb0f971a0cd85839006539c97b68065ad7a02f25d395ed56efe5dced75
                                                                • Opcode Fuzzy Hash: ca7581e5387a221abea483650227445673008c569d96fe21290052ba913a4591
                                                                • Instruction Fuzzy Hash: 8011F0B2D006498FCB10CF9AC484A9EFBF4EF88228F15895AD919A7650C374A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D96990, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 06D969E8
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID: ChangeCloseFindNotification
                                                                • String ID:
                                                                • API String ID: 2591292051-0
                                                                • Opcode ID: 5dba72533d2d69a6ab561566c7aa7ae33a0fbe04c43a1d3672d6588f9b6f0887
                                                                • Instruction ID: ca80cb15acdd3b14b733cc83084234dbd8bf192332101da73317f4f41aecd87d
                                                                • Opcode Fuzzy Hash: 5dba72533d2d69a6ab561566c7aa7ae33a0fbe04c43a1d3672d6588f9b6f0887
                                                                • Instruction Fuzzy Hash: 7E1142B29002499FCB50CF99C584BDEBBF4EF48324F15842AD968A7740C738AA44CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0B24C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02B0DEA8,?,?,?,?), ref: 02B0DF1D
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: LongWindow
                                                                • String ID:
                                                                • API String ID: 1378638983-0
                                                                • Opcode ID: b9992845889bbc8eb8cac7a29f196188ab96225dfce716ae3af6f2c421d75bfe
                                                                • Instruction ID: 45e4016cb318cf1168127fa448fbf4245941a78a2a20c03337dfc720ff2fd3aa
                                                                • Opcode Fuzzy Hash: b9992845889bbc8eb8cac7a29f196188ab96225dfce716ae3af6f2c421d75bfe
                                                                • Instruction Fuzzy Hash: 1C1130B59002098FDB20CF89D488BEEBBF8EF48320F10845AE915A7780C374A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D95128, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 06D9518D
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 121484b47f000587b08f99b25b6431b538963ad901ada45da864801e5ef28127
                                                                • Instruction ID: c7aa6bd357f5ac45b75f6199b2530750a23d99c58d282334e636b6a694d2e78b
                                                                • Opcode Fuzzy Hash: 121484b47f000587b08f99b25b6431b538963ad901ada45da864801e5ef28127
                                                                • Instruction Fuzzy Hash: 701103B59006499FDB50CF99D888BEEFBF8FB48324F14845AE559A7600C374A984CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D95130, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 06D9518D
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 310451bd2ba7714d9c2d3077d4a18abd354ebde6ca454ebe14faf584cddc25c7
                                                                • Instruction ID: 3fd9c05239ab625a9b0c5406bbd7a5c6381cc3d6c3544e1266aad8b8b7215192
                                                                • Opcode Fuzzy Hash: 310451bd2ba7714d9c2d3077d4a18abd354ebde6ca454ebe14faf584cddc25c7
                                                                • Instruction Fuzzy Hash: A011E2B59003499FDB50CF99D884BDEBBF8EB48324F15841AE555A7600C375A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02B0DEB9, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02B0DEA8,?,?,?,?), ref: 02B0DF1D
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.387781252.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                Similarity
                                                                • API ID: LongWindow
                                                                • String ID:
                                                                • API String ID: 1378638983-0
                                                                • Opcode ID: 8c885dcc984f9c6a4e4134b9044fe35a35d55d7b5a9f61f927e3630b79b3307e
                                                                • Instruction ID: 14d10cd35f0f5f3d7cc5f537faa266a9d86ccd63d08490b3ddc783d3d812760e
                                                                • Opcode Fuzzy Hash: 8c885dcc984f9c6a4e4134b9044fe35a35d55d7b5a9f61f927e3630b79b3307e
                                                                • Instruction Fuzzy Hash: A71142B69002498FCB10CF99C584BDEBBF8FF48324F15844AE858A7740C374A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 06D96691, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49ff007af5a0ce10d7c2bffbedcf18c326148a2712e2e5a486cd509a6fcc7287
                                                                • Instruction ID: 50f6d6fbdd8a080f6e6106446676138350ff971eb2eb377eb99bafcdbcee6629
                                                                • Opcode Fuzzy Hash: 49ff007af5a0ce10d7c2bffbedcf18c326148a2712e2e5a486cd509a6fcc7287
                                                                • Instruction Fuzzy Hash: AF1148B4D052988FEB159FB4D558BEDBBF1AB0A305F1890AAD051B3291C7388948CBB4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 06D966A0, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.395689708.0000000006D90000.00000040.00000001.sdmp, Offset: 06D90000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 79c5f78f39c8a154d687bef149478000f5dbbfe0e7880352975c4ceb654b92bf
                                                                • Instruction ID: 94fad405ae909d6fafaa11cc0f14f1821fa60aa223970f336610963bacba1223
                                                                • Opcode Fuzzy Hash: 79c5f78f39c8a154d687bef149478000f5dbbfe0e7880352975c4ceb654b92bf
                                                                • Instruction Fuzzy Hash: 9E113C70D052588FEF54DFA5C918BEEBBF1AB4E300F149069D451B3290D7788948CBB8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Analysis Process: Purchase Order-568149.exe PID: 3728 Parent PID: 2796 Purchase Order-568149.exeCOMMON

                                                                Executed Functions

                                                                Function 05EA5A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05EAB63B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: NameUser
                                                                • String ID:
                                                                • API String ID: 2645101109-0
                                                                • Opcode ID: c68117bd4e6f8ea91518d939f3e568701bcefb8e39e06a77614c76d2fc2ed829
                                                                • Instruction ID: f18894f2c1b477a07f9bd82ab966d69f573998a57d1af391d563f731ebdfb0a5
                                                                • Opcode Fuzzy Hash: c68117bd4e6f8ea91518d939f3e568701bcefb8e39e06a77614c76d2fc2ed829
                                                                • Instruction Fuzzy Hash: 9251F371D002188FDB14CFA9C894BDDBBF6BF88314F15812AE856AB351D774A844CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E42088, Relevance: .5, Instructions: 527COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56ccc5b86154ed682e8397417a5a967fc7bf9811ed602cc01ac7e7bccffb33b3
                                                                • Instruction ID: 7719b1b46204500cda349d695057085f41e9f32688e4c94d53c93739886c0f4d
                                                                • Opcode Fuzzy Hash: 56ccc5b86154ed682e8397417a5a967fc7bf9811ed602cc01ac7e7bccffb33b3
                                                                • Instruction Fuzzy Hash: BF128F70A002199FDB14DFA8D854BAEBBB6FF88308F11946DE646EB351DB349D41CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E426C0, Relevance: .4, Instructions: 450COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4d5150a3f632c2eef2dddece0741971db5bc1cdb83a1be0b8ddc09e70ad7efbc
                                                                • Instruction ID: 1dd7d195efb58ced81cfe3397019713cd11f533898afb61892f34071fe35ba24
                                                                • Opcode Fuzzy Hash: 4d5150a3f632c2eef2dddece0741971db5bc1cdb83a1be0b8ddc09e70ad7efbc
                                                                • Instruction Fuzzy Hash: 38025F30A00119DFCB14DFA9E984AAEBBB2FF88304F55906AFA05EB261D735DC41DB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EAB4F4, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05EAB63B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: NameUser
                                                                • String ID:
                                                                • API String ID: 2645101109-0
                                                                • Opcode ID: 7cb979a3c0d476b2565f20e76fe7bd1ef0ec006b17dc475fdf79e7e76ae709fe
                                                                • Instruction ID: 517ce7558e4a5e6e890e7d2cdd2460d599e0262acbb71f0c158a234651d7e5ca
                                                                • Opcode Fuzzy Hash: 7cb979a3c0d476b2565f20e76fe7bd1ef0ec006b17dc475fdf79e7e76ae709fe
                                                                • Instruction Fuzzy Hash: C7510471D002188FDB14CFA9C894BDDBBB6BF88314F15812AD896AB351D774A844CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EA921C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05EAB63B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: NameUser
                                                                • String ID:
                                                                • API String ID: 2645101109-0
                                                                • Opcode ID: 58dcc04f2678041a5a4b8ec895ef077b489371f1dbf51d1db6fa7bae663a1023
                                                                • Instruction ID: b1ac2f74bc0b4810874f892cd580f0e5da25c7c7840048c542e4fb78547893f3
                                                                • Opcode Fuzzy Hash: 58dcc04f2678041a5a4b8ec895ef077b489371f1dbf51d1db6fa7bae663a1023
                                                                • Instruction Fuzzy Hash: F251F371D002188FDB14CFA9C894BDDBBB6BF88314F15812AE856BB391D774A844CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EABF08, Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 05EAC038
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: FileMove
                                                                • String ID:
                                                                • API String ID: 3562171763-0
                                                                • Opcode ID: 2a0153667db9eec3e81772b5a9c7d6c38e6a909cf898ca18e9270ac0baf16157
                                                                • Instruction ID: 55979b46a9a679704695be17974c2f1739fb2702d32bc91f2bbe75b015d609a3
                                                                • Opcode Fuzzy Hash: 2a0153667db9eec3e81772b5a9c7d6c38e6a909cf898ca18e9270ac0baf16157
                                                                • Instruction Fuzzy Hash: D2419D76A053589FDB00CFA9D84479EBBF5BF49714F1580AAE848AB341DB34A805CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EAB960, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNELBASE(00000000), ref: 05EABA20
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: c9dd12f828a0fdecc9bb377667ad028653d6d6e08af1f42f713999432207b082
                                                                • Instruction ID: 6fd4a20f6ecec1d6950dd8775a920e77c18de44536864587c1a782503dec4698
                                                                • Opcode Fuzzy Hash: c9dd12f828a0fdecc9bb377667ad028653d6d6e08af1f42f713999432207b082
                                                                • Instruction Fuzzy Hash: 6D21ACB2E002098FDB10CFA9C5057AEBBF8BF48714F05852AD459AB740D738A804CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EAB951, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNELBASE(00000000), ref: 05EABA20
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: 2337ab1d7ecbd8cb4cd9f4dbd40658f5147a234d706114b1c7adb95f835532da
                                                                • Instruction ID: 55648830b0d9b679ff564866b5f79bb7093e691243587a4e56d1f4a3605e24a5
                                                                • Opcode Fuzzy Hash: 2337ab1d7ecbd8cb4cd9f4dbd40658f5147a234d706114b1c7adb95f835532da
                                                                • Instruction Fuzzy Hash: 3B213776E083458FDB11CBB9C4157E9BBB0FF45314F168199D489AB282D734A805CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EA9250, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 05EAC038
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: FileMove
                                                                • String ID:
                                                                • API String ID: 3562171763-0
                                                                • Opcode ID: 8be0740f260761649cb2ef77249ad99d83d4fd1b107124a5d8bba8ce66485b8d
                                                                • Instruction ID: 8e9315315db8cf9cbedf28a0e73633d4ac194161541069753f67de3d6bf96668
                                                                • Opcode Fuzzy Hash: 8be0740f260761649cb2ef77249ad99d83d4fd1b107124a5d8bba8ce66485b8d
                                                                • Instruction Fuzzy Hash: D32122B6D012189FCF50CFA9D9846DEBBF5FB48310F25815AE809AB200D775A940CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05EA9228, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNELBASE(00000000), ref: 05EABA20
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.609705942.0000000005EA0000.00000040.00000001.sdmp, Offset: 05EA0000, based on PE: false
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: c7e4fb55a24fcf5c958aab3ddbe41b35a21868abb5e9787ce9e8093dd61b5ad0
                                                                • Instruction ID: efd908d72f1f309bdd8cca71ffaf0c194603bbe12992feca88e5af3f47140d63
                                                                • Opcode Fuzzy Hash: c7e4fb55a24fcf5c958aab3ddbe41b35a21868abb5e9787ce9e8093dd61b5ad0
                                                                • Instruction Fuzzy Hash: BF2113B2D046599BCB10CFAAC4447AEFBB4BB48324F15812AD859A7640D738A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E4ABD0, Relevance: .6, Instructions: 600COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7df99d085648b046cfe581eeaea3c5af7672849fc85614d49887ef79c3c12a36
                                                                • Instruction ID: 0d55a7c946f19c8a69001f276b4d83a25d458ed17e95ac5fb77b73b1baadf84a
                                                                • Opcode Fuzzy Hash: 7df99d085648b046cfe581eeaea3c5af7672849fc85614d49887ef79c3c12a36
                                                                • Instruction Fuzzy Hash: 6232B274A142048FCB14EFB8E894A9EBBB2EF88314F254579E405EB761DB34ED05CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E4348A, Relevance: .4, Instructions: 369COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb989a5b80cfe5b0e4d3264faf6a321d8104f8b4bd38b71055d1cffab13ef2a4
                                                                • Instruction ID: 5d06d5440f9b30be15f1e96845a2b6226d66466a1c29db7fae0941709a9b3e21
                                                                • Opcode Fuzzy Hash: fb989a5b80cfe5b0e4d3264faf6a321d8104f8b4bd38b71055d1cffab13ef2a4
                                                                • Instruction Fuzzy Hash: 02F16E7060010ADFDF14CF68E584AAAB7B2FF88314F259654E546BB296C770FE81CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E41780, Relevance: .3, Instructions: 341COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e94e0ebb4ffab6877fe185bcf577782930ab6163e8d3657c6bf0d2fde5866df8
                                                                • Instruction ID: 58eb3f2f74376148411a10c83fe8f05e3182aa15f60455b2d14b38c6ee6bc35c
                                                                • Opcode Fuzzy Hash: e94e0ebb4ffab6877fe185bcf577782930ab6163e8d3657c6bf0d2fde5866df8
                                                                • Instruction Fuzzy Hash: 36C1E0307002108FCF259F69E8586AE77A2BFC9358F1584A9E9469B395DF74CC82CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E44D40, Relevance: .2, Instructions: 230COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78546e547eab3d20d0f8f84a53662a4d4042b6f8ec4038941ad7bc88d89798ae
                                                                • Instruction ID: eb9f830cf3f15094ae0fc83847533b9cf190a2e657a232099537d1b8a832ad09
                                                                • Opcode Fuzzy Hash: 78546e547eab3d20d0f8f84a53662a4d4042b6f8ec4038941ad7bc88d89798ae
                                                                • Instruction Fuzzy Hash: 1E7104707042148FCB259B78E8547BE7BA6EF85314B24546AE406DB3E2CF30DC41CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E41B78, Relevance: .2, Instructions: 228COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1d71c45f1786b82a3e0237ad1b05c190fc05eb3e09d27b140ce44a36652570aa
                                                                • Instruction ID: 30302d3ef5fe30c8f3a157c77c8afb27326d6dbff18439c1908e748615ade693
                                                                • Opcode Fuzzy Hash: 1d71c45f1786b82a3e0237ad1b05c190fc05eb3e09d27b140ce44a36652570aa
                                                                • Instruction Fuzzy Hash: FF818F74E401058FCF18CF69D884AA9B7B2FF89316B2591A9D406EB361D731EC81CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E43B70, Relevance: .2, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1acb8481f0f78711128d76eb0c7d8e056e2f2669cd5a24e71a88439911663c4e
                                                                • Instruction ID: be6ee22d726f7215e842b9e146d1f32c3332948a195a41aedc76ba03faef6764
                                                                • Opcode Fuzzy Hash: 1acb8481f0f78711128d76eb0c7d8e056e2f2669cd5a24e71a88439911663c4e
                                                                • Instruction Fuzzy Hash: 6C51E7357141158FC704DF39E898A6ABBE6FF4471531654AAE406EB3B2DB31DD01CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E4B1C0, Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8357404f58557036982e45e3854a39093f4ca787f1133adf5d349178dbe41cf
                                                                • Instruction ID: e882c1c6f4b2fe71984d62bcb5b8ca5891ee2c530f9ad7978a7fc5c3e3ce8cf5
                                                                • Opcode Fuzzy Hash: b8357404f58557036982e45e3854a39093f4ca787f1133adf5d349178dbe41cf
                                                                • Instruction Fuzzy Hash: C051B579D213198FCB50EFA8E89598DBBB2FF48314B114A65D409E7B28EB346D05CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E41560, Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e26abf83de6184a254296c1ab368a86c9a7c2ca37321b23f45229bf025b8ff49
                                                                • Instruction ID: 30b32f47be20815aa7ca565e869c9aedd83b0765985b34a97e1e760b4f841859
                                                                • Opcode Fuzzy Hash: e26abf83de6184a254296c1ab368a86c9a7c2ca37321b23f45229bf025b8ff49
                                                                • Instruction Fuzzy Hash: 444191313002099FCF069F65E844AFE7BE6FB88314F1494A9F906D7251CB39DD629B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E43980, Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c2c672a57bc7149f7fbbc5ee38d815a13941aaa194c1e156442ac7505722f4c4
                                                                • Instruction ID: 7cdba23017a76e6d1f87cf752def4e3cb006005da6dc519c85829803acf8cde4
                                                                • Opcode Fuzzy Hash: c2c672a57bc7149f7fbbc5ee38d815a13941aaa194c1e156442ac7505722f4c4
                                                                • Instruction Fuzzy Hash: 2A417B75640119DFCB04DF69E848AAE7BB6FF88714F104069F9569B3A1CB70DE40DB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E43CB8, Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c041255ea33d7dba35c4b10f516ea85d0e933ccee87d89409224d2f174cd6915
                                                                • Instruction ID: 66865be100e0168cf1c849f8b4ca92a6f42eb473ece35141e3194244d870fa9d
                                                                • Opcode Fuzzy Hash: c041255ea33d7dba35c4b10f516ea85d0e933ccee87d89409224d2f174cd6915
                                                                • Instruction Fuzzy Hash: AC21E531B082569FCB14CE76AC40ABB7BE6AF85314F145466F812DB245DB70DE10CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E41A9A, Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 844886c9d353aecc9f8ff7afd08577508b9894ea0fa4ed5c2be6d666f5a0e260
                                                                • Instruction ID: 9f9d2bdaf834a73c5350ab9c8dee60ead0a1fbd328266e8932e1ad48dd51c3b0
                                                                • Opcode Fuzzy Hash: 844886c9d353aecc9f8ff7afd08577508b9894ea0fa4ed5c2be6d666f5a0e260
                                                                • Instruction Fuzzy Hash: D71106317066118FCB299A2AE45456EB7B2FFC935432A41F9E406DB3A5DF30DC468B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E40040, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4b192c8d6df96c5f19b82a8a7a904a5b81ba7703b0fcafcf3cf25913d40bd678
                                                                • Instruction ID: 2a7484dc77d9cf0c60aadcf3f4a3a0df3ca65418c4e8d2da1d6a703bf1dd6dab
                                                                • Opcode Fuzzy Hash: 4b192c8d6df96c5f19b82a8a7a904a5b81ba7703b0fcafcf3cf25913d40bd678
                                                                • Instruction Fuzzy Hash: 6A0128317082885FD714167A98242BBBA9FEFCA311B158876D64AC77CBCE38CC0653A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E416DF, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68c9c058fa350c6b5ce1ba78354403cd9b31f46ced9a9bb3ee94053336f580a5
                                                                • Instruction ID: 6f8a1a6baf1fdbc1a1e93c7541124b56c514b173997af2aa871857eebb9e5cb3
                                                                • Opcode Fuzzy Hash: 68c9c058fa350c6b5ce1ba78354403cd9b31f46ced9a9bb3ee94053336f580a5
                                                                • Instruction Fuzzy Hash: A00128327002146FCF158E68EC14AEF3BF6EBC9750B19806BF501D7290DA758D139BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E4003B, Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9112965c96ef09d99bd3e259c9ae42d81cfa70b04ca61d13c63182e618ebe22c
                                                                • Instruction ID: b8e1fe4a1b832b6697eb768f999444ab805a5a67c9f5b81c8a6236d30c117af7
                                                                • Opcode Fuzzy Hash: 9112965c96ef09d99bd3e259c9ae42d81cfa70b04ca61d13c63182e618ebe22c
                                                                • Instruction Fuzzy Hash: B401FC317082885FC714167A98246ABFA9FEFCA311B158877D64AC7796CE38CC0653A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E4AB48, Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3428051da7c02c511f70bdeb7ba7759cbe9c77be202d4e2f62534c8a6efa47f3
                                                                • Instruction ID: 91afd9d69767ba465122c348b0abf82f0222f2429b5b6500ff00a21e6bab5c6c
                                                                • Opcode Fuzzy Hash: 3428051da7c02c511f70bdeb7ba7759cbe9c77be202d4e2f62534c8a6efa47f3
                                                                • Instruction Fuzzy Hash: 79F0A071E042168F8B50DF6CA4045EEBBF5EA88215B15057AE94EE3300E6308A01CBD0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E4AB58, Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0f329b07240dd41bd82426f8eed01d5af5d119ceb6ecdc0a0480e30fe9f56e8
                                                                • Instruction ID: bef3d7d169761bee217f9575ca509f974a3a602f029dbc507326baaac975a16e
                                                                • Opcode Fuzzy Hash: c0f329b07240dd41bd82426f8eed01d5af5d119ceb6ecdc0a0480e30fe9f56e8
                                                                • Instruction Fuzzy Hash: F0E01275E042199F4750EBADA8055EEBAF9EA88225B144576E51DE3300EA7049018BD1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E41E28, Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0ced4a36b4fa4f77a260608b38c65fbed0ca55bfe6b6c10245bff432ecdccedb
                                                                • Instruction ID: 3c4677b9854f57d3ca8d957b4731c3c5ee3cbf12b8d633344057804c59fc47af
                                                                • Opcode Fuzzy Hash: 0ced4a36b4fa4f77a260608b38c65fbed0ca55bfe6b6c10245bff432ecdccedb
                                                                • Instruction Fuzzy Hash: C0D02B329581144AC740BB64FC43356374AABC0318B22C933A00445339EF68DE1507C1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E41E38, Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.601248144.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0ba574c934f71e8fd1c48ae8f2761e55491472bd11835cc4090fa353aaee0aeb
                                                                • Instruction ID: 4b3a345cadbf39699ff8d7e6e9db1a832b4a17b88b718a1da8a4e38c02ec5ca3
                                                                • Opcode Fuzzy Hash: 0ba574c934f71e8fd1c48ae8f2761e55491472bd11835cc4090fa353aaee0aeb
                                                                • Instruction Fuzzy Hash: B0C01231468615468540BF64F881625335A6FC13083428A21A1044933D9FB46E1547C5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: YYtJku.exe PID: 5800 Parent PID: 3440 YYtJku.exeCOMMON

                                                                Executed Functions

                                                                Function 035CBD60, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 035CBDD0
                                                                • GetCurrentThread.KERNEL32 ref: 035CBE0D
                                                                • GetCurrentProcess.KERNEL32 ref: 035CBE4A
                                                                • GetCurrentThreadId.KERNEL32 ref: 035CBEA3
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 06703bc4bd5397030e4105a070a8da218ecad53a2c9555823d9df3caecee63e4
                                                                • Instruction ID: ce739b42b258b182b92057f1c27a25c5bb1bba6ba182329a0a65980e278bf39b
                                                                • Opcode Fuzzy Hash: 06703bc4bd5397030e4105a070a8da218ecad53a2c9555823d9df3caecee63e4
                                                                • Instruction Fuzzy Hash: A75163B0E007888FDB54CFA9D548B9EBBF0BF88318F258169E419A7360D7746944CF62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035CBD70, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 035CBDD0
                                                                • GetCurrentThread.KERNEL32 ref: 035CBE0D
                                                                • GetCurrentProcess.KERNEL32 ref: 035CBE4A
                                                                • GetCurrentThreadId.KERNEL32 ref: 035CBEA3
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: b63612d2f4451f495e3f65917352e76c11006cd6562024104605159ff9ec911c
                                                                • Instruction ID: 1a523886f92900a44ed1f1ef0f4085abae678b1d886da6c5ac8f2e6775d2b4e0
                                                                • Opcode Fuzzy Hash: b63612d2f4451f495e3f65917352e76c11006cd6562024104605159ff9ec911c
                                                                • Instruction Fuzzy Hash: 125154B0A007888FDB54CFA9D548B9EBBF0BF88318F248569E419A7360D7746844CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035C9A88, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 035C9CCE
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 404af20baae53d6b4d4e5c2b24212956088306c2f5d1975ec66b19015b413463
                                                                • Instruction ID: aeeee58bfe3aca01cfc3cb1395a8ad33f9eadb6d21a3bc17e10eb55be8480807
                                                                • Opcode Fuzzy Hash: 404af20baae53d6b4d4e5c2b24212956088306c2f5d1975ec66b19015b413463
                                                                • Instruction Fuzzy Hash: 25713270A10B459FDB24CFA9E45479AB7F5BF88308F048A2DD44ADBA50DB34E805CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035C59C5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 035C5A81
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: cf672d440ebc4fb587bd56150277d6a39a652f3d11a91d116a7854e8b7e3d05b
                                                                • Instruction ID: 4a3c324e8ede163e549a4f79c990e4be2a5cf199c1a5f5f355741a1767f4248a
                                                                • Opcode Fuzzy Hash: cf672d440ebc4fb587bd56150277d6a39a652f3d11a91d116a7854e8b7e3d05b
                                                                • Instruction Fuzzy Hash: D7411470D00259CFCB20CFEAD884BCEBBB1BF49308F24846AD409AB251D7B46946CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035C4514, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 035C5A81
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 30eaa5cce947f509f9f1edf27dbe70f3697fea5152cf55bfc37348d97964720a
                                                                • Instruction ID: d1d6c6316c92acab0cc038231e778c53991b623b2468e8148c746aa20e22b4ab
                                                                • Opcode Fuzzy Hash: 30eaa5cce947f509f9f1edf27dbe70f3697fea5152cf55bfc37348d97964720a
                                                                • Instruction Fuzzy Hash: E741F170D00658CFDB24CFEAD884BCEBBB5BF49308F25846AD419AB251DBB46945CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035CC398, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 035CC427
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 714cbe39a103f7546980ef481ebcb8437d9ae10dbf16f517d25f6ee0285622af
                                                                • Instruction ID: ce9a5515b6239719dcd4dd2158bba7c660d2d6d68f6ec605220ff9e69918f608
                                                                • Opcode Fuzzy Hash: 714cbe39a103f7546980ef481ebcb8437d9ae10dbf16f517d25f6ee0285622af
                                                                • Instruction Fuzzy Hash: BE21E3B5D002489FDB10CF99E984AEEBBF4FF48324F14845AE915A3710D374A955CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035CC3A0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 035CC427
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: dd25252a6adc2de8a80e360088a037e668d29e2506a02459744c317386befc49
                                                                • Instruction ID: 672f7b03042813d471733aaf8071c4c57b87357b92e2adfad91f9152fa07d6de
                                                                • Opcode Fuzzy Hash: dd25252a6adc2de8a80e360088a037e668d29e2506a02459744c317386befc49
                                                                • Instruction Fuzzy Hash: 9421E4B59002489FDB10CF99D584ADEFBF4FF48324F14801AE915A3310C374A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035C8E18, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,035C9D49,00000800,00000000,00000000), ref: 035C9F5A
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 7ed50856c059f42b323595259b506fefbcd28d853acb4b9b705a3b6e0f0dc854
                                                                • Instruction ID: f4da5ce5ae4fed4bb5e20772b5556906aabd5b4af9ebed776a407a1613a2f9be
                                                                • Opcode Fuzzy Hash: 7ed50856c059f42b323595259b506fefbcd28d853acb4b9b705a3b6e0f0dc854
                                                                • Instruction Fuzzy Hash: B81103B69002498FCB10CF9AD484ADEFBF4FB48314F05846EE819A7610C774A945CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035C9EE8, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,035C9D49,00000800,00000000,00000000), ref: 035C9F5A
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 2dbc784f06b97f23048eb6bf0a66a170e32a83174fea9391c9f75557ac295837
                                                                • Instruction ID: 2aaa9b8c3e247ce5448fe16db479a45590efa6b2079b56ccf458b6bde1cb1277
                                                                • Opcode Fuzzy Hash: 2dbc784f06b97f23048eb6bf0a66a170e32a83174fea9391c9f75557ac295837
                                                                • Instruction Fuzzy Hash: D411F2B6D002498FCB10CFAAD484ADEFBF4BF88314F15852EE419A7610C778A945CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035C9C68, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 035C9CCE
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483288522.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 8ee36edb29a88d8edfae9b50ebfce41be7b3d8813cea76f10c7c1ae3c87fed2d
                                                                • Instruction ID: 84e43f3b4ba240cb69da658c7053594cfc2e47cf6a57b6593c3ac97144776859
                                                                • Opcode Fuzzy Hash: 8ee36edb29a88d8edfae9b50ebfce41be7b3d8813cea76f10c7c1ae3c87fed2d
                                                                • Instruction Fuzzy Hash: 7D11D2B5D006498FCB10CF9AD444ADEFBF4AF89324F15852AD419A7610C378A545CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 03562D61, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 03562DC5
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483150493.0000000003560000.00000040.00000001.sdmp, Offset: 03560000, based on PE: false
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: e07bb18d9f5dcdbe9930fcc6f8f3830bcd78ce9619cccff50c83a9d880074cdf
                                                                • Instruction ID: c5fe04ff43faa8a62d5fa0e92e8a7003d214ccba8d21ed011008dc5793eafd31
                                                                • Opcode Fuzzy Hash: e07bb18d9f5dcdbe9930fcc6f8f3830bcd78ce9619cccff50c83a9d880074cdf
                                                                • Instruction Fuzzy Hash: B511F2B59002889FDB10CF99D484BDEBBF8FF48324F15885AE958A7601C374A945CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 03562D68, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 03562DC5
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.483150493.0000000003560000.00000040.00000001.sdmp, Offset: 03560000, based on PE: false
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 104312d64cde33b165a5ff02eb7bc45729bd3330f8b739055b996d2979c979e2
                                                                • Instruction ID: 768b9e0185320e8e925d24fa2debbbf1c580cca6c061bca0078b689e58c1a266
                                                                • Opcode Fuzzy Hash: 104312d64cde33b165a5ff02eb7bc45729bd3330f8b739055b996d2979c979e2
                                                                • Instruction Fuzzy Hash: 7511E2B59007499FDB10CF99D884BDEFBF8FB48324F15881AE559A7610C374A984CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01A5D4C4, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.482255140.0000000001A5D000.00000040.00000001.sdmp, Offset: 01A5D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 37ef0bbea2a31450d9b95de727865a22b9f2e7e3bbabeddfe1b5535486f7399d
                                                                • Instruction ID: f90d350a9598038f3115bba87dc0036e6c8e32ab92341e974bb6d255f9530fc6
                                                                • Opcode Fuzzy Hash: 37ef0bbea2a31450d9b95de727865a22b9f2e7e3bbabeddfe1b5535486f7399d
                                                                • Instruction Fuzzy Hash: E02103B1508240EFDB45DFA8D9C0B66BF75FB8832CF248569EC054B206C336D846CAA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01A6D01C, Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.482328730.0000000001A6D000.00000040.00000001.sdmp, Offset: 01A6D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e416f7f3fba2155ca72416be2693d98090fe21c4bda4dae58f3a1472123b29ef
                                                                • Instruction ID: dfdd059df3f1156710171519e9ff10885db61783bc76f2a20cdca7f9f0019591
                                                                • Opcode Fuzzy Hash: e416f7f3fba2155ca72416be2693d98090fe21c4bda4dae58f3a1472123b29ef
                                                                • Instruction Fuzzy Hash: 6F213771604240DFDB15CF58D4C0B16BB69FB883A4F25C969D88A4B246C337D847CAA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01A5D4BF, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.482255140.0000000001A5D000.00000040.00000001.sdmp, Offset: 01A5D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
                                                                • Instruction ID: fa780f6cc11659a0e4d836ac00f9e7683af324f1041e07fb094791aa15786329
                                                                • Opcode Fuzzy Hash: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
                                                                • Instruction Fuzzy Hash: B811B176804280DFDB56CF64D5C4B16BF71FB84328F28C6A9DC450B656C336D45ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01A6D017, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.482328730.0000000001A6D000.00000040.00000001.sdmp, Offset: 01A6D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d56df88b9b7a1166935ae8fa4ca7bf63e7314e17cb226e706ca627439ff04c8a
                                                                • Instruction ID: 39d626eaf8c4bf6b714ef7af15aaad6f76f3f98604bc126014fcc731b76ad413
                                                                • Opcode Fuzzy Hash: d56df88b9b7a1166935ae8fa4ca7bf63e7314e17cb226e706ca627439ff04c8a
                                                                • Instruction Fuzzy Hash: 6811DD75604280CFDB12CF54D5C4B15FFB1FB88324F28C6AAD84A4B656C33AD44ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01A5D731, Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.482255140.0000000001A5D000.00000040.00000001.sdmp, Offset: 01A5D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6b6c87468c91f24e1493cc4181698155c31b3b3b8380a6ae7f0ed2504ed514f
                                                                • Instruction ID: adb81fd29678ce79b04cac517b04353f27cc5d158b6902f79f2f7477c1352b41
                                                                • Opcode Fuzzy Hash: f6b6c87468c91f24e1493cc4181698155c31b3b3b8380a6ae7f0ed2504ed514f
                                                                • Instruction Fuzzy Hash: 5D01F77140C3C4ABEB504B69CDC0BA7BFA8EF40238F088559ED055F243D378A844C6B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01A5D730, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000014.00000002.482255140.0000000001A5D000.00000040.00000001.sdmp, Offset: 01A5D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 401c3466f9809eb6f5e2d7eb0383977167c28ec91c4c301b1138516000e097e6
                                                                • Instruction ID: 1f4b5ab5bf33cc9858853f5d7f77da7709f6b90dbe631ffe963f1d5312870049
                                                                • Opcode Fuzzy Hash: 401c3466f9809eb6f5e2d7eb0383977167c28ec91c4c301b1138516000e097e6
                                                                • Instruction Fuzzy Hash: 0DF04F71409284AEEB518B19C984BA6FF98EB81634F18C55AED085B282C379A844CAA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions