Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report KAF-PR-21-F-3089_pdf.exe

Overview

General Information

Sample Name:KAF-PR-21-F-3089_pdf.exe
Analysis ID:483902
MD5:b5fdcd6723e679c54a5f8652c59bc52a
SHA1:fc83546ee73bea22ea563b9644700abef62d0ef2
SHA256:245e18b14a6b231f2a89b812dace828478aa24419d600e2ac8c7acd989320e1a
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • KAF-PR-21-F-3089_pdf.exe (PID: 4932 cmdline: 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' MD5: B5FDCD6723E679C54A5F8652C59BC52A)
    • powershell.exe (PID: 2416 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4152 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • KAF-PR-21-F-3089_pdf.exe (PID: 5760 cmdline: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe MD5: B5FDCD6723E679C54A5F8652C59BC52A)
  • xepul.exe (PID: 6464 cmdline: 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: B5FDCD6723E679C54A5F8652C59BC52A)
    • powershell.exe (PID: 7000 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7036 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • xepul.exe (PID: 7096 cmdline: C:\Users\user\AppData\Roaming\xepul\xepul.exe MD5: B5FDCD6723E679C54A5F8652C59BC52A)
  • xepul.exe (PID: 6884 cmdline: 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: B5FDCD6723E679C54A5F8652C59BC52A)
    • powershell.exe (PID: 5180 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • xepul.exe (PID: 240 cmdline: C:\Users\user\AppData\Roaming\xepul\xepul.exe MD5: B5FDCD6723E679C54A5F8652C59BC52A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000013.00000002.393930598.0000000002E22000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.xepul.exe.37072a0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              23.2.xepul.exe.37072a0.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' , ParentImage: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe, ParentProcessId: 4932, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', ProcessId: 2416
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' , ParentImage: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe, ParentProcessId: 4932, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', ProcessId: 2416
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762203357091900.2416.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KAF-PR-21-F-3089_pdf.exeVirustotal: Detection: 30%Perma Link
                      Source: KAF-PR-21-F-3089_pdf.exeReversingLabs: Detection: 28%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\OgRWrNP.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeReversingLabs: Detection: 28%
                      Machine Learning detection for sampleShow sources
                      Source: KAF-PR-21-F-3089_pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\OgRWrNP.exeJoe Sandbox ML: detected
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.550948575.00000000032DD000.00000004.00000001.sdmp, KAF-PR-21-F-3089_pdf.exe, 00000007.00000003.518331573.00000000010A4000.00000004.00000001.sdmpString found in binary or memory: http://J3BWl3u49AqFuQ10uy.org
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551085177.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://mail.fclbd.com
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, xepul.exe, 00000013.00000002.393894687.0000000002E11000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.427903703.0000000002641000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://tTuraz.com
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, xepul.exe, 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: KAF-PR-21-F-3089_pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b18A51FD1u002d699Cu002d4958u002d8E15u002dD578628C0381u007d/DA178CC2u002dD6C0u002d4582u002d870Eu002d4AFCBFB3B250.csLarge array initialization: .cctor: array initializer size 11955
                      .NET source code contains very large stringsShow sources
                      Source: KAF-PR-21-F-3089_pdf.exe, Forms/mainForm.csLong String: Length: 38272
                      Source: OgRWrNP.exe.0.dr, Forms/mainForm.csLong String: Length: 38272
                      Source: 0.0.KAF-PR-21-F-3089_pdf.exe.d00000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: xepul.exe.7.dr, Forms/mainForm.csLong String: Length: 38272
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.9f0000.1.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 7.0.KAF-PR-21-F-3089_pdf.exe.9f0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 19.2.xepul.exe.8b0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 19.0.xepul.exe.8b0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 23.0.xepul.exe.2c0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E41880_2_016E4188
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E33A00_2_016E33A0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E3A980_2_016E3A98
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E7E700_2_016E7E70
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E417A0_2_016E417A
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E11280_2_016E1128
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E11190_2_016E1119
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E4B680_2_016E4B68
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E33900_2_016E3390
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E3A880_2_016E3A88
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E05C80_2_016E05C8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E05B80_2_016E05B8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E44F80_2_016E44F8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E4E630_2_016E4E63
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_0307C1240_2_0307C124
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_0307E5630_2_0307E563
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_0307E5700_2_0307E570
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B790F87_2_00B790F8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7D8C07_2_00B7D8C0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B772107_2_00B77210
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B757407_2_00B75740
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B727487_2_00B72748
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7B4E07_2_00B7B4E0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7EDB07_2_00B7EDB0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B71A9C7_2_00B71A9C
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7BEC07_2_00B7BEC0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA3CD27_2_00BA3CD2
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA0BBA7_2_00BA0BBA
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA87C07_2_00BA87C0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA91307_2_00BA9130
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BABFA87_2_00BABFA8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_010947A07_2_010947A0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_010946B07_2_010946B0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_010946D07_2_010946D0
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_0141C12419_2_0141C124
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_0141E56119_2_0141E561
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_0141E57019_2_0141E570
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD33A019_2_02BD33A0
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD709019_2_02BD7090
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD339E19_2_02BD339E
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD408819_2_02BD4088
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD408219_2_02BD4082
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD112819_2_02BD1128
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD111919_2_02BD1119
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD05B819_2_02BD05B8
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD3D9019_2_02BD3D90
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD3D8219_2_02BD3D82
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD05C819_2_02BD05C8
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6C12423_2_00B6C124
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6E57023_2_00B6E570
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6E56223_2_00B6E562
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_025933A023_2_025933A0
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259709023_2_02597090
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259339F23_2_0259339F
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259408823_2_02594088
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259408323_2_02594083
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259111923_2_02591119
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259112823_2_02591128
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_025905C823_2_025905C8
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_02593D9023_2_02593D90
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_02593D8323_2_02593D83
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_025905B823_2_025905B8
                      Source: KAF-PR-21-F-3089_pdf.exeBinary or memory string: OriginalFilename vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279816896.00000000032ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.278858528.0000000000D02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISO2022Mod.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXvNxqBZmYOOkfDPzpKQLpRZPpYuDHRfG.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exeBinary or memory string: OriginalFilename vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.532992936.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXvNxqBZmYOOkfDPzpKQLpRZPpYuDHRfG.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.545734745.000000000127A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.527053723.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISO2022Mod.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OgRWrNP.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: xepul.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: KAF-PR-21-F-3089_pdf.exeVirustotal: Detection: 30%
                      Source: KAF-PR-21-F-3089_pdf.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile read: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeJump to behavior
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Roaming\OgRWrNP.exeJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp56.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/13@0/0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
                      Source: KAF-PR-21-F-3089_pdf.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: OgRWrNP.exe.0.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.KAF-PR-21-F-3089_pdf.exe.d00000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: xepul.exe.7.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: KAF-PR-21-F-3089_pdf.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: OgRWrNP.exe.0.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.KAF-PR-21-F-3089_pdf.exe.d00000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: xepul.exe.7.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.9f0000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.KAF-PR-21-F-3089_pdf.exe.9f0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 19.2.xepul.exe.8b0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 19.0.xepul.exe.8b0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 23.0.xepul.exe.2c0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6F932 push esp; iretd 23_2_00B6F939
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: 0xF53BFD57 [Tue May 18 18:49:59 2100 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18032157411
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18032157411
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18032157411
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Roaming\OgRWrNP.exeJump to dropped file
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Roaming\xepul\xepul.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xepulJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xepulJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Roaming\xepul\xepul.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000013.00000002.393930598.0000000002E22000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KAF-PR-21-F-3089_pdf.exe PID: 4932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xepul.exe PID: 6464, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xepul.exe PID: 6884, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, xepul.exe, 00000013.00000002.393930598.0000000002E22000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, xepul.exe, 00000013.00000002.393930598.0000000002E22000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe TID: 5320Thread sleep time: -35050s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe TID: 1592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5336Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe TID: 6260Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe TID: 6264Thread sleep count: 682 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe TID: 6264Thread sleep count: 9150 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exe TID: 6468Thread sleep time: -41117s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exe TID: 6492Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exe TID: 6888Thread sleep time: -44823s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exe TID: 6932Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1856Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6427Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2047Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWindow / User API: threadDelayed 682Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWindow / User API: threadDelayed 9150Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5365
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3153
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeThread delayed: delay time: 35050Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeThread delayed: delay time: 41117Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeThread delayed: delay time: 44823
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.546613120.0000000001310000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: xepul.exe, 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B747C0 LdrInitializeThunk,7_2_00B747C0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeMemory written: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeMemory written: C:\Users\user\AppData\Roaming\xepul\xepul.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeMemory written: C:\Users\user\AppData\Roaming\xepul\xepul.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.547657903.0000000001900000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.547657903.0000000001900000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.547657903.0000000001900000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.547657903.0000000001900000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Users\user\AppData\Roaming\xepul\xepul.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Users\user\AppData\Roaming\xepul\xepul.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.2.xepul.exe.37072a0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KAF-PR-21-F-3089_pdf.exe.449f7f0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.xepul.exe.3ed72a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.xepul.exe.3fdf7f0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.xepul.exe.380f7f0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.xepul.exe.3ed72a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.xepul.exe.37072a0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.432528576.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.525542610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.547283180.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KAF-PR-21-F-3089_pdf.exe PID: 4932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: KAF-PR-21-F-3089_pdf.exe PID: 5760, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xepul.exe PID: 6464, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xepul.exe PID: 6884, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.547283180.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KAF-PR-21-F-3089_pdf.exe PID: 5760, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.2.xepul.exe.37072a0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KAF-PR-21-F-3089_pdf.exe.449f7f0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.xepul.exe.3ed72a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.xepul.exe.3fdf7f0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.xepul.exe.380f7f0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.xepul.exe.3ed72a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.xepul.exe.37072a0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.432528576.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.525542610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.547283180.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KAF-PR-21-F-3089_pdf.exe PID: 4932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: KAF-PR-21-F-3089_pdf.exe PID: 5760, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xepul.exe PID: 6464, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xepul.exe PID: 6884, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery113Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery311Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 483902 Sample: KAF-PR-21-F-3089_pdf.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 9 other signatures 2->55 7 KAF-PR-21-F-3089_pdf.exe 7 2->7         started        11 xepul.exe 5 2->11         started        13 xepul.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\OgRWrNP.exe, PE32 7->29 dropped 31 C:\Users\user\...\OgRWrNP.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\Temp\tmp56.tmp, XML 7->33 dropped 35 C:\Users\...\KAF-PR-21-F-3089_pdf.exe.log, ASCII 7->35 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 15 KAF-PR-21-F-3089_pdf.exe 2 5 7->15         started        19 powershell.exe 22 7->19         started        21 schtasks.exe 1 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Adds a directory exclusion to Windows Defender 11->67 23 powershell.exe 11->23         started        69 Injects a PE file into a foreign processes 13->69 signatures5 process6 file7 37 C:\Users\user\AppData\Roaming\...\xepul.exe, PE32 15->37 dropped 39 C:\Users\user\...\xepul.exe:Zone.Identifier, ASCII 15->39 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->41 43 Tries to steal Mail credentials (via file access) 15->43 45 Tries to harvest and steal ftp login credentials 15->45 47 2 other signatures 15->47 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      KAF-PR-21-F-3089_pdf.exe30%VirustotalBrowse
                      KAF-PR-21-F-3089_pdf.exe29%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      KAF-PR-21-F-3089_pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\xepul\xepul.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\OgRWrNP.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\OgRWrNP.exe29%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      C:\Users\user\AppData\Roaming\xepul\xepul.exe29%ReversingLabsByteCode-MSIL.Trojan.Taskun

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://tTuraz.com0%Avira URL Cloudsafe
                      http://J3BWl3u49AqFuQ10uy.org0%Avira URL Cloudsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://mail.fclbd.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSKAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tTuraz.comKAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://J3BWl3u49AqFuQ10uy.orgKAF-PR-21-F-3089_pdf.exe, 00000007.00000002.550948575.00000000032DD000.00000004.00000001.sdmp, KAF-PR-21-F-3089_pdf.exe, 00000007.00000003.518331573.00000000010A4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://cps.letsencrypt.org0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.fclbd.comKAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551085177.0000000003321000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haKAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://x1.c.lencr.org/0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://x1.i.lencr.org/0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://r3.o.lencr.org0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org%GETMozilla/5.0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, xepul.exe, 00000013.00000002.393894687.0000000002E11000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.427903703.0000000002641000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipKAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, xepul.exe, 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%$KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://cps.root-x1.letsencrypt.org0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://r3.i.lencr.org/0KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:483902
                        Start date:15.09.2021
                        Start time:15:57:45
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 5s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:KAF-PR-21-F-3089_pdf.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:40
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@27/13@0/0
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 121
                        • Number of non-executed functions: 9
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        15:58:49API Interceptor641x Sleep call for process: KAF-PR-21-F-3089_pdf.exe modified
                        15:58:58API Interceptor109x Sleep call for process: powershell.exe modified
                        15:59:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run xepul C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        15:59:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run xepul C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        15:59:36API Interceptor202x Sleep call for process: xepul.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KAF-PR-21-F-3089_pdf.exe.log
                        Process:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                        Malicious:true
                        Reputation:unknown
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xepul.exe.log
                        Process:C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                        Malicious:false
                        Reputation:unknown
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):0
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:384:RtCDd1tU36d+CS0nqul66DpaeQ99gtXcxm9T1MaPZlbAV7K94Y5ZBDI+RzYB:Kc69Tqul7Fat8FRCOfwkVw
                        MD5:D870AAB255908226597A55FDDCA56A4D
                        SHA1:D20084BBAECE1137AF71EB674DF33217A48FAF99
                        SHA-256:E73BF0C4B86A420C5DB2D76C3A478CDAD96979BF86293D127F0DB6228630DFC9
                        SHA-512:F41873F02EDB7C16FACD8E14FE380518AB86DE9B7B534E4ABAC005DADDB8F3253A65395DB3C6118AB38D4C6227DD20D5FEB82B605298194FF58FDFA725A78386
                        Malicious:false
                        Reputation:unknown
                        Preview: @...e...............................R.....u..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mq00lhn.rw5.ps1
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2apcq0hy.cen.psm1
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pk23tghi.cbd.ps1
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):0
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2gl204v.y0q.psm1
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):0
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\tmp12EF.tmp
                        Process:C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1656
                        Entropy (8bit):5.169017084792058
                        Encrypted:false
                        SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBOOtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3v
                        MD5:A9DF567399D0A17B6D2674C2AAA16A82
                        SHA1:32D4C4CDD0A61F6689C2D2DF421F0654BC75838F
                        SHA-256:A960454156D58DFD7F2DB473C0E5F2B80AAA8DF27524B32ED560F141F6BB92B5
                        SHA-512:35D43300F9001DD12FE119CF56EB16DBF94B2C9226501C6F742397D9CD7A795BCDA996BD326B5E6A8821D0C38994FBAB9546639417D52ABD2870C24C810B93AE
                        Malicious:false
                        Reputation:unknown
                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                        C:\Users\user\AppData\Local\Temp\tmp56.tmp
                        Process:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1656
                        Entropy (8bit):5.169017084792058
                        Encrypted:false
                        SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBOOtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3v
                        MD5:A9DF567399D0A17B6D2674C2AAA16A82
                        SHA1:32D4C4CDD0A61F6689C2D2DF421F0654BC75838F
                        SHA-256:A960454156D58DFD7F2DB473C0E5F2B80AAA8DF27524B32ED560F141F6BB92B5
                        SHA-512:35D43300F9001DD12FE119CF56EB16DBF94B2C9226501C6F742397D9CD7A795BCDA996BD326B5E6A8821D0C38994FBAB9546639417D52ABD2870C24C810B93AE
                        Malicious:true
                        Reputation:unknown
                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                        C:\Users\user\AppData\Local\Temp\tmpDA79.tmp
                        Process:C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1656
                        Entropy (8bit):5.169017084792058
                        Encrypted:false
                        SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBOOtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3v
                        MD5:A9DF567399D0A17B6D2674C2AAA16A82
                        SHA1:32D4C4CDD0A61F6689C2D2DF421F0654BC75838F
                        SHA-256:A960454156D58DFD7F2DB473C0E5F2B80AAA8DF27524B32ED560F141F6BB92B5
                        SHA-512:35D43300F9001DD12FE119CF56EB16DBF94B2C9226501C6F742397D9CD7A795BCDA996BD326B5E6A8821D0C38994FBAB9546639417D52ABD2870C24C810B93AE
                        Malicious:false
                        Reputation:unknown
                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                        C:\Users\user\AppData\Roaming\OgRWrNP.exe
                        Process:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):557568
                        Entropy (8bit):7.169608286934158
                        Encrypted:false
                        SSDEEP:6144:HH9v2dlQDbCMN4K4CDdAbOo3JdJI/Z11RNq6/dLcUkp2QtQkZg8rze42L+Vou6c1:KWHCM2K4Cuin1+kFKVjBuL+ifa+eK
                        MD5:B5FDCD6723E679C54A5F8652C59BC52A
                        SHA1:FC83546EE73BEA22EA563B9644700ABEF62D0EF2
                        SHA-256:245E18B14A6B231F2A89B812DACE828478AA24419D600E2AC8C7ACD989320E1A
                        SHA-512:788E6A270A1C05DAD9BB322224EA62D6615828AB744E24879C363858EC68B8DDDC83ECB0B4F99F39E594625B4EFFB26499D4FD07D11188EC6FB558FBA93FB4A3
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 29%
                        Reputation:unknown
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.;...............0..x..........j.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...pv... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................L.......H........?..._......o.......X...........................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..
                        C:\Users\user\AppData\Roaming\OgRWrNP.exe:Zone.Identifier
                        Process:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:unknown
                        Preview: [ZoneTransfer]....ZoneId=0
                        C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        Process:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):557568
                        Entropy (8bit):7.169608286934158
                        Encrypted:false
                        SSDEEP:6144:HH9v2dlQDbCMN4K4CDdAbOo3JdJI/Z11RNq6/dLcUkp2QtQkZg8rze42L+Vou6c1:KWHCM2K4Cuin1+kFKVjBuL+ifa+eK
                        MD5:B5FDCD6723E679C54A5F8652C59BC52A
                        SHA1:FC83546EE73BEA22EA563B9644700ABEF62D0EF2
                        SHA-256:245E18B14A6B231F2A89B812DACE828478AA24419D600E2AC8C7ACD989320E1A
                        SHA-512:788E6A270A1C05DAD9BB322224EA62D6615828AB744E24879C363858EC68B8DDDC83ECB0B4F99F39E594625B4EFFB26499D4FD07D11188EC6FB558FBA93FB4A3
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 29%
                        Reputation:unknown
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.;...............0..x..........j.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...pv... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................L.......H........?..._......o.......X...........................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..
                        C:\Users\user\AppData\Roaming\xepul\xepul.exe:Zone.Identifier
                        Process:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:unknown
                        Preview: [ZoneTransfer]....ZoneId=0
                        C:\Users\user\Documents\20210915\PowerShell_transcript.364339.AB9Havin.20210915155857.txt
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):5837
                        Entropy (8bit):5.4032399124452475
                        Encrypted:false
                        SSDEEP:96:BZp66N+qDo1ZjZY66N+qDo1Z70zmzMzjZY66N+qDo1Z7vz8z8zLZc:P6IrQQS
                        MD5:4DBA287E69CA781EABCEBAA75D840CCA
                        SHA1:CACD2BA30D6CE673B33937F6AFD216B4E920FCD1
                        SHA-256:B0499CB5F938D4DC8F1C94F7824BA9C2C5F0511B5DC0B47CDDA24EBEFA3EA8CA
                        SHA-512:6BECF31540A64C6CF2E4361F0DE75AF4337ABB1113A6E81CF45A4A0AEBF6CE7BC093ECEADB51C0D1633CBC6449AAA57553245645CE480D314123A50D47AE0309
                        Malicious:false
                        Reputation:unknown
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915155858..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 364339 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe..Process ID: 2416..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915155858..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe..**********************..Windows PowerShell transcript start..Start time: 20210915160253..Username: computer\user..RunAs Us
                        C:\Users\user\Documents\20210915\PowerShell_transcript.364339.Qr4P5N31.20210915155948.txt
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):0
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:96:BZ866NTCqDo1ZZkZg66NTCqDo1ZBV7JzjZL66NTCqDo1ZmujjKZN:EUbIjx
                        MD5:044A21D42F0E230437D210E46F50D243
                        SHA1:20567911976918166DA228AA08703754F137789D
                        SHA-256:C20B95C46A1383F2A5909FB8E1EA9363CFDF59A520DC8EE26ABE976F7534DDEB
                        SHA-512:FA58DDBA8FB1C0EF574381867DA92B2BCB0E46D47905D4A88723941BC71A8E09DD46BE37A7EA8C67DCA3363634DD642F623C4615E15CFAC1289809414DE0A0B5
                        Malicious:false
                        Reputation:unknown
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915155950..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 364339 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\xepul\xepul.exe..Process ID: 7000..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915155950..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\xepul\xepul.exe..**********************..Windows PowerShell transcript start..Start time: 20210915160451..Username: computer\user..RunAs User

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.169608286934158
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:KAF-PR-21-F-3089_pdf.exe
                        File size:557568
                        MD5:b5fdcd6723e679c54a5f8652c59bc52a
                        SHA1:fc83546ee73bea22ea563b9644700abef62d0ef2
                        SHA256:245e18b14a6b231f2a89b812dace828478aa24419d600e2ac8c7acd989320e1a
                        SHA512:788e6a270a1c05dad9bb322224ea62d6615828ab744e24879c363858ec68b8dddc83ecb0b4f99f39e594625b4effb26499d4fd07d11188ec6fb558fba93fb4a3
                        SSDEEP:6144:HH9v2dlQDbCMN4K4CDdAbOo3JdJI/Z11RNq6/dLcUkp2QtQkZg8rze42L+Vou6c1:KWHCM2K4Cuin1+kFKVjBuL+ifa+eK
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.;...............0..x..........j.... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x48966a
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0xF53BFD57 [Tue May 18 18:49:59 2100 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x896180x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x5b4.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x895fc0x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x876700x87800False0.760999841444data7.18032157411IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x8a0000x5b40x600False0.423828125data4.10202463206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x8a0900x324data
                        RT_MANIFEST0x8a3c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2019
                        Assembly Version1.0.0.0
                        InternalNameISO2022Mod.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductNameDisciples
                        ProductVersion1.0.0.0
                        FileDescriptionDisciples
                        OriginalFilenameISO2022Mod.exe

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: KAF-PR-21-F-3089_pdf.exe PID: 4932 Parent PID: 2212

                        General

                        Start time:15:58:46
                        Start date:15/09/2021
                        Path:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                        Imagebase:0xd00000
                        File size:557568 bytes
                        MD5 hash:B5FDCD6723E679C54A5F8652C59BC52A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Analysis Process: powershell.exe PID: 2416 Parent PID: 4932

                        General

                        Start time:15:58:55
                        Start date:15/09/2021
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                        Imagebase:0x1110000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 5612 Parent PID: 2416

                        General

                        Start time:15:58:56
                        Start date:15/09/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff774ee0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: schtasks.exe PID: 4152 Parent PID: 4932

                        General

                        Start time:15:58:56
                        Start date:15/09/2021
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'
                        Imagebase:0xc00000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 5316 Parent PID: 4152

                        General

                        Start time:15:58:56
                        Start date:15/09/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff774ee0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: KAF-PR-21-F-3089_pdf.exe PID: 5760 Parent PID: 4932

                        General

                        Start time:15:58:57
                        Start date:15/09/2021
                        Path:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                        Imagebase:0x9f0000
                        File size:557568 bytes
                        MD5 hash:B5FDCD6723E679C54A5F8652C59BC52A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Analysis Process: xepul.exe PID: 6464 Parent PID: 3292

                        General

                        Start time:15:59:32
                        Start date:15/09/2021
                        Path:C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                        Imagebase:0x8b0000
                        File size:557568 bytes
                        MD5 hash:B5FDCD6723E679C54A5F8652C59BC52A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.393930598.0000000002E22000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 29%, ReversingLabs
                        Reputation:low

                        Chronological Activities

                        Analysis Process: xepul.exe PID: 6884 Parent PID: 3292

                        General

                        Start time:15:59:41
                        Start date:15/09/2021
                        Path:C:\Users\user\AppData\Roaming\xepul\xepul.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                        Imagebase:0x2c0000
                        File size:557568 bytes
                        MD5 hash:B5FDCD6723E679C54A5F8652C59BC52A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.428038749.0000000002652000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Analysis Process: powershell.exe PID: 7000 Parent PID: 6464

                        General

                        Start time:15:59:45
                        Start date:15/09/2021
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                        Imagebase:0x1110000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: KAF-PR-21-F-3089_pdf.exe PID: 4932 Parent PID: 2212 KAF-PR-21-F-3089_pdf.exeCOMMON

                          Executed Functions

                          Function 016E4B68, Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: G)C^
                          • API String ID: 0-1201447618
                          • Opcode ID: ee8bb1405a5f50b2db3a4bee22b1d73eea700d18176ffa6f7c77899b44fb549f
                          • Instruction ID: 42cb29a5efd1d2e0acfe82dfdb4d04994ed4265cc78df4c6ad5f07b2bfc18553
                          • Opcode Fuzzy Hash: ee8bb1405a5f50b2db3a4bee22b1d73eea700d18176ffa6f7c77899b44fb549f
                          • Instruction Fuzzy Hash: 5081FF74E16209CBCF04CFA9D9856AEFBF2EB89300F20952AD415EB354DB349A428F55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E7E70, Relevance: .4, Instructions: 352COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 736297e0d2d8ccc85204f4e92149610517cdee54a01bbbfaaa4591eb3767e9e5
                          • Instruction ID: b14c21b62adfc6b2e9334e7fa41f790caaac3325873196e880977372cc51bdf1
                          • Opcode Fuzzy Hash: 736297e0d2d8ccc85204f4e92149610517cdee54a01bbbfaaa4591eb3767e9e5
                          • Instruction Fuzzy Hash: 4AD1D030B027058FEB15EB79C958BAE77FAAF88200F14856DD205DB390DB35E901CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E3A88, Relevance: .3, Instructions: 308COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad75b714fda7d4b58b5b33dee5a552e1a038034a7403f475864735e0cda53eea
                          • Instruction ID: 0974ec8744eebeafe345fe6c9cf9054f9b6754146ecf98ed7aad891b87733083
                          • Opcode Fuzzy Hash: ad75b714fda7d4b58b5b33dee5a552e1a038034a7403f475864735e0cda53eea
                          • Instruction Fuzzy Hash: 1AD10534E163099FDB14CFA5D946BDEBBF2FB89300F209129E805BB394D77599428B14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E3A98, Relevance: .3, Instructions: 305COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dfeba811ed57ea804ca9355cea3ac9074f19ed3b4846572c987d3ca9f9f6138a
                          • Instruction ID: 56a55c20184e086e4adcfb154f71b9d46b2bcfc5d3e3354c8be69e6e3f84b5a9
                          • Opcode Fuzzy Hash: dfeba811ed57ea804ca9355cea3ac9074f19ed3b4846572c987d3ca9f9f6138a
                          • Instruction Fuzzy Hash: BAC10434E163099FDB14CFA5D946BDEFBF2BB89300F209129E805BB394DB7599428B14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E417A, Relevance: .2, Instructions: 185COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c76b1ed72ff82e9945c9e0561175f96aa9e9ea05615c9aa8ef440e84b53ff6fd
                          • Instruction ID: cf68e760b84cc3b2c18a13429109469501c440aa582e2a4358974c2b2c11eea2
                          • Opcode Fuzzy Hash: c76b1ed72ff82e9945c9e0561175f96aa9e9ea05615c9aa8ef440e84b53ff6fd
                          • Instruction Fuzzy Hash: 6B810374E112099FDB14DFE5D888AEEBBB2EF89301F10852AD816AB354DB349902CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E4188, Relevance: .2, Instructions: 178COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4ed40ecbb3c698de39b2086285607f82a0f021cb96483faaabd38ae3c579b1f
                          • Instruction ID: 6b381881640eb4328dbd731f5cf9ff6b19557b60ce8a77e28bb56351b179d04a
                          • Opcode Fuzzy Hash: d4ed40ecbb3c698de39b2086285607f82a0f021cb96483faaabd38ae3c579b1f
                          • Instruction Fuzzy Hash: 6971E374E112099FDB14DFE5D988AEEBBB2FF89301F10852AD816AB354DB349906CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E3390, Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0acdafa5922979f27f36b9c180b843405b2f254feee807766351faebe026a21d
                          • Instruction ID: e51532cc9ba07472fb6dfdb83b7e2bbbf39fca64462e71dbefea5148cc24c79e
                          • Opcode Fuzzy Hash: 0acdafa5922979f27f36b9c180b843405b2f254feee807766351faebe026a21d
                          • Instruction Fuzzy Hash: 11417D74E16258DBDB08CFA9D945AEDBBF2FB89300F14952AD405B7354DB3499018B28
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E33A0, Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21093e6b48999ac9fa9fd8bb6d6ef3d57063f722e1226333e7687a01cab15649
                          • Instruction ID: cd0fc3be694a6d1ed2154e71d29cbc33b81452c753981635e2fd2b213a8f3e86
                          • Opcode Fuzzy Hash: 21093e6b48999ac9fa9fd8bb6d6ef3d57063f722e1226333e7687a01cab15649
                          • Instruction Fuzzy Hash: 7B416D74E16258DBDB08CFA9D944AEDFBF2FF8D200F14952AD405BB354DB3499028B28
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1B85, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 016E1DC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 5b2ce57aa6981a09d61a09351f4f409d86ed4e21852f3110265534e52f3b1484
                          • Instruction ID: 1adee32ad65b9f3396c1568893ca89cb57efdda91660b4b20658288b048a7905
                          • Opcode Fuzzy Hash: 5b2ce57aa6981a09d61a09351f4f409d86ed4e21852f3110265534e52f3b1484
                          • Instruction Fuzzy Hash: F2A15A71D012198FDB20DFA8CC84BEDBBF2BF49314F148669E809A7280DB759985DF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1B90, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 016E1DC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: e455840c9fa1a849942a22928134522c92aab19f09317d9bf9448174248675e1
                          • Instruction ID: e1905b073f62b885c3b3355e4b41a2d439e17f144eab87ba62d320cf4e91a919
                          • Opcode Fuzzy Hash: e455840c9fa1a849942a22928134522c92aab19f09317d9bf9448174248675e1
                          • Instruction Fuzzy Hash: 36916B71D012198FDB10DFA8CC84BEDBBF2BF49314F148669E809A7280DB759985DF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0307DDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0307FE0A
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 5d905da10b4c7335deabdc0f3e0eb4b7625eac6f566f0f101a42de88fb8805f4
                          • Instruction ID: 65278052b89aa1e4c86df5c83adae85aa23a57088ef616371b5d8eafdc1642c5
                          • Opcode Fuzzy Hash: 5d905da10b4c7335deabdc0f3e0eb4b7625eac6f566f0f101a42de88fb8805f4
                          • Instruction Fuzzy Hash: 8951CDB1D11309EFDB14CF99C884ADEBBB5BF88314F24852AE819AB250D7749985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03073DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 03075421
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 207a3ac51dac2b40132701226ad6d2ca7d3ea08490df4c18966c5a3583ea2de0
                          • Instruction ID: dbd1863dae48973b31b88f7c5e022bd45d65a5a91e6821cd5aa6385f8fa65ec6
                          • Opcode Fuzzy Hash: 207a3ac51dac2b40132701226ad6d2ca7d3ea08490df4c18966c5a3583ea2de0
                          • Instruction Fuzzy Hash: 2241E170C0161CCFDB24CFA9C844BDEBBB5BF49308F248469D418AB251DB756989CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1721, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadContext.KERNELBASE(?,00000000), ref: 016E17EE
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: ContextThread
                          • String ID:
                          • API String ID: 1591575202-0
                          • Opcode ID: ecb7946d821055e28565d77a266aafba719e4480d470fbe092960373b17bc39d
                          • Instruction ID: 9e1d7e98caffefd67539f8d590e1781bad4116cc03e2b514c00c4d8f46c9bd7b
                          • Opcode Fuzzy Hash: ecb7946d821055e28565d77a266aafba719e4480d470fbe092960373b17bc39d
                          • Instruction Fuzzy Hash: 0831AB358007099FCB10CFA9C9857EEBBF5EF49220F14842ED955A7310CB38A949DF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0307536B, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 03075421
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: c548643f17687c16672b76f06ddb72f2c832a778603fca04de84603b8a6b5b5f
                          • Instruction ID: 22b9fb0187b1deea4ab134dfa07b2815c49f5edfddcf7b10366b4ab53fcb4292
                          • Opcode Fuzzy Hash: c548643f17687c16672b76f06ddb72f2c832a778603fca04de84603b8a6b5b5f
                          • Instruction Fuzzy Hash: CA41F171C0061CCFDB24CFA9C884BDEBBB6BF49308F248569D418AB251DB756989CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1908, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 016E1998
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 90c8fddbbf3457df8232a70981bd64d6e6fe57869329847db320ff45656fc00f
                          • Instruction ID: d3c8ab5ca9b1821c564c2a74632690f886a96b979c10b0351ab7cac9fe1f179e
                          • Opcode Fuzzy Hash: 90c8fddbbf3457df8232a70981bd64d6e6fe57869329847db320ff45656fc00f
                          • Instruction Fuzzy Hash: F72125759003499FCB00CFA9C884BEEBBF5FF48314F10892AE959A7340D7789945DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1901, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 016E1998
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 23e9dd0fd405756efa6954c6667b1822f4e6dc3b711fd155c7831c4cb9f546ed
                          • Instruction ID: 41a62fb0201943845f066a73492cb6f7801d8e4562b3e1f52f7f6673413ceef9
                          • Opcode Fuzzy Hash: 23e9dd0fd405756efa6954c6667b1822f4e6dc3b711fd155c7831c4cb9f546ed
                          • Instruction Fuzzy Hash: EE2144B59002099FCB00CFA9C984BEEBBF5FF48314F10892AE919A7340C7789955DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03079800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0307B87E,?,?,?,?,?), ref: 0307B93F
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: dacf9aa5bfe3ef16cfff34be82b78d5e750001c572a09967d71cfa39df3b7abd
                          • Instruction ID: 49274d7239dffebf5c53d8221c5fb2925b0f50a37c5b06af5b565d165a22c89d
                          • Opcode Fuzzy Hash: dacf9aa5bfe3ef16cfff34be82b78d5e750001c572a09967d71cfa39df3b7abd
                          • Instruction Fuzzy Hash: 8C21E3B5D01208AFDB10CFA9D584AEEBBF8EB49320F14841AE914B7310D374A954DFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E19F8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 016E1A78
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 80051be9700df20d1d1f964e294eb6e28c2418f5f5606358ca64b042c90a1f6e
                          • Instruction ID: 09bcc030d8afe7eeb0adf82539b1f0f0a536bf53bd748f5d588557ced4edc018
                          • Opcode Fuzzy Hash: 80051be9700df20d1d1f964e294eb6e28c2418f5f5606358ca64b042c90a1f6e
                          • Instruction Fuzzy Hash: AA2125719002499FCB00CFA9C884AEEFBF5FF48314F54892AE919A7240C7789945DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E19F1, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 016E1A78
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: d5b33c54a939a4069cff8a74f3364fb5f087d94a1bdfbec0fc02bf06b52a95c5
                          • Instruction ID: 9c6621b1af49a442f31fa03ab0bba7c062c14edce3d0bee82e07f29f41a7cc43
                          • Opcode Fuzzy Hash: d5b33c54a939a4069cff8a74f3364fb5f087d94a1bdfbec0fc02bf06b52a95c5
                          • Instruction Fuzzy Hash: 672145B1D002099FCB00CFA9C884BEEFBF5FF48314F14882AE919A7240C7789945DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1770, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadContext.KERNELBASE(?,00000000), ref: 016E17EE
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: ContextThread
                          • String ID:
                          • API String ID: 1591575202-0
                          • Opcode ID: c28caa0b9813bfb2e4e3db4705c860f088d0bd8707d41a91a7d1e721e71f0d33
                          • Instruction ID: d7d9cd1d099752783e78ccd1b1b922514cc015934dce9e4bf6ff4254c1728e59
                          • Opcode Fuzzy Hash: c28caa0b9813bfb2e4e3db4705c860f088d0bd8707d41a91a7d1e721e71f0d33
                          • Instruction Fuzzy Hash: 782138759002088FDB10CFA9C884BEEBBF5EF49224F14842AD919A7340DB789945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03079478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03079951,00000800,00000000,00000000), ref: 03079B62
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 4cf7776024f3340f852e3b70a60662e6d0f429840e8cdb9c522e1260a636a358
                          • Instruction ID: c4f4958d4ce3e1c7ff41f2dee4207ab9a9b557496551f272a50dc9814c6535a3
                          • Opcode Fuzzy Hash: 4cf7776024f3340f852e3b70a60662e6d0f429840e8cdb9c522e1260a636a358
                          • Instruction Fuzzy Hash: F01114B6D003099FCB10CF9AC588ADEFBF8EB99310F14852AE415B7200C374A945CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1840, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 016E18B6
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: ad2233ebef334cfa295c17904263ebc86ddb4aff7b5f97fc7caeb5891196afc0
                          • Instruction ID: 749772d5667df2d183f1d931877d0413df3607bccd1e19268c9084874e1e513c
                          • Opcode Fuzzy Hash: ad2233ebef334cfa295c17904263ebc86ddb4aff7b5f97fc7caeb5891196afc0
                          • Instruction Fuzzy Hash: 441156769002088FCB10CFA9D844BEEBBF9EF48324F14882AE515A7650C7759944DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1848, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 016E18B6
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: fe5e1f56e1e695885e804f59fa7f81b7a766f65ba561ed1f93814f72909d7b48
                          • Instruction ID: 53b619146a193a56d3801d9d3cad61c2341d0a69c3e5bafb086fe2175ef571f5
                          • Opcode Fuzzy Hash: fe5e1f56e1e695885e804f59fa7f81b7a766f65ba561ed1f93814f72909d7b48
                          • Instruction Fuzzy Hash: C21179759002089FCF10DFA9C844BEFBBF9EF49324F148829E515A7210C7759944DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1078, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 392938c7b9a180f057d287ddbd4d42f530b9af5c3154302af6ebe51226d7da2e
                          • Instruction ID: 82cf3c5766ba6023842c528bee447fa400d5116ab5facd7d2a6ae1f9369615e9
                          • Opcode Fuzzy Hash: 392938c7b9a180f057d287ddbd4d42f530b9af5c3154302af6ebe51226d7da2e
                          • Instruction Fuzzy Hash: 19113A75D002488FCB10DFAAC8447EFFBF9AF89224F248829D519A7340CB79A945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1070, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: ed01179f837563795a5bec0486df6c4ae0f9c9cf7aedda400b7a02308de83e11
                          • Instruction ID: 4a1b258b9477eb4dd22f8d6899f713bc3b612b5e2ab7eb08fc6c3a96c5b376ac
                          • Opcode Fuzzy Hash: ed01179f837563795a5bec0486df6c4ae0f9c9cf7aedda400b7a02308de83e11
                          • Instruction Fuzzy Hash: FD1119759002488FDB10DFA9D5497EEBBF5AF48214F148819D519A7240CB78A945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03079870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 030798D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: f0a173f5389c6e2befe11f2daaa68dc6d163e6d5cd8c6b429ad79a1a721969c9
                          • Instruction ID: 5bc39cafcd2597e546f6ff57988643e90726b2f300659e7eb310e0414159a331
                          • Opcode Fuzzy Hash: f0a173f5389c6e2befe11f2daaa68dc6d163e6d5cd8c6b429ad79a1a721969c9
                          • Instruction Fuzzy Hash: E811DFB5D006498FDB10CF9AD444ADEFBF8EF89324F14852AD829B7600C375A549CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0307DE04, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0307FF28,?,?,?,?), ref: 0307FF9D
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID: LongWindow
                          • String ID:
                          • API String ID: 1378638983-0
                          • Opcode ID: f368c8b85c96b13b8766ccf382fc3132ed5ee294019ada672434e63b4ddff763
                          • Instruction ID: 6bd31a263b6aca7cb31b08b47022d473668137124af7a041a7f6da4e247754ed
                          • Opcode Fuzzy Hash: f368c8b85c96b13b8766ccf382fc3132ed5ee294019ada672434e63b4ddff763
                          • Instruction Fuzzy Hash: AA1125B59002099FCB10CF99D584BDEBBF8EB49324F10841AE915A7200C374A944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E6700, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 016E675D
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 9c20a2dce844fc4d03ab89cecc9d54c41e35f2e1ec7bcefcb4d6f0da5941c996
                          • Instruction ID: 0a608e2313c89d7cd4a7abea452b58f5712ca4de8541bbf36a1a1ac022e3b7eb
                          • Opcode Fuzzy Hash: 9c20a2dce844fc4d03ab89cecc9d54c41e35f2e1ec7bcefcb4d6f0da5941c996
                          • Instruction Fuzzy Hash: DB1115B58003089FDB10CF99D888BDEBBF8FB58320F10841AE918A7200C374A984CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E66F8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 016E675D
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 2b33151c5b63a53a7c6d8e56d7f5156bdb3d27ecad7a5a9a54cb49d036df3df7
                          • Instruction ID: 428208da0542ee713deb28bf1ac6bf0a16418f4e5285c67fe26b8cde9813f0a1
                          • Opcode Fuzzy Hash: 2b33151c5b63a53a7c6d8e56d7f5156bdb3d27ecad7a5a9a54cb49d036df3df7
                          • Instruction Fuzzy Hash: 6311F5B58002099FDB10CF99D989BDEBBF4EB58324F14851AD558B7200D375A544CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0164D4C4, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279298826.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e340f7c62782a50c9748b8629500a587e83d28bf6d7fd60473106151f6828359
                          • Instruction ID: 37e11dd9acc529569634ce4bf0f1ad593632512df59abcfd7d2e6711f712a996
                          • Opcode Fuzzy Hash: e340f7c62782a50c9748b8629500a587e83d28bf6d7fd60473106151f6828359
                          • Instruction Fuzzy Hash: 14210371A00240DFDB09DF94D9C0F6ABF66FB98328F24C569E9050B306C736E456CAE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0165D1D4, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279317902.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98ebd03ef8507cac921ec69131c21e817b68a62d548f17abc09f13e2b58aca87
                          • Instruction ID: 5f99e685b67ca98b6d642e8b8a0937799a099767ea99333d852c1ae292ee7b0b
                          • Opcode Fuzzy Hash: 98ebd03ef8507cac921ec69131c21e817b68a62d548f17abc09f13e2b58aca87
                          • Instruction Fuzzy Hash: 6421F275504244EFDB41CF94D9C0F26BBA5FB84368F24C96DEE094B386C376D846CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0165D01C, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279317902.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42923565eb7018c7d63164da8749ca3d1199ea36d5bda75f98b3c72e5dbc423d
                          • Instruction ID: 9435f073dc2c5f93118ef861ba03d24d6a4d5d9ac0153ad9d999cf5d34bb7d8e
                          • Opcode Fuzzy Hash: 42923565eb7018c7d63164da8749ca3d1199ea36d5bda75f98b3c72e5dbc423d
                          • Instruction Fuzzy Hash: 2C212275604240DFDB51CFA4D8C0F26BBA5FB84364F20C969DC0A4B386C33AD847CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0165D005, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279317902.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5a172244a15b386546bf4bb76cb9624ea5c358380bd1f2bbb4f82aceb207726
                          • Instruction ID: 156ec2a99e71818ba62a6248dd82031858d28d5ace9051c71dede28446afa9a2
                          • Opcode Fuzzy Hash: e5a172244a15b386546bf4bb76cb9624ea5c358380bd1f2bbb4f82aceb207726
                          • Instruction Fuzzy Hash: AA2180755083809FDB02CF64D994B15BF71EB46214F28C5EAD8498F3A7C33A985ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0164D4BF, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279298826.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
                          • Instruction ID: 6844d30f62e5859496975bc10928155e574048d44ad0ac73acb3a75d93e3ac6f
                          • Opcode Fuzzy Hash: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
                          • Instruction Fuzzy Hash: 9711E172904280CFCB06CF54D9C0B16BF71FB84324F24C6A9D8080B716C336D45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0165D1CF, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279317902.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
                          • Instruction ID: 1babbc403c5ebf03f34f6239c8873c75e2104c5adb521e83681d28ffd153160b
                          • Opcode Fuzzy Hash: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
                          • Instruction Fuzzy Hash: 4011BB75504280DFCB42CF54C9C0B15BBA1FB84224F28C6ADDD494B796C33AD44ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0164D745, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279298826.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ead8dc42b47776382257875702f011b4bae1dc70b5e30ab7bf8397ad80688ffc
                          • Instruction ID: 5e1721329691ce6318d4517043ca5d8749484279b44980ed6886a7df2db9031a
                          • Opcode Fuzzy Hash: ead8dc42b47776382257875702f011b4bae1dc70b5e30ab7bf8397ad80688ffc
                          • Instruction Fuzzy Hash: 4D01F775804380ABE710CEA9CC84B77BF9CDF51238F08895AE9041B346D3799885CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0164D744, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279298826.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4457ca691b1a8a5747e33b1f613017cd2e378686471bd1305d205b16abc36b01
                          • Instruction ID: 49416f796cce8462963f2cc7745be26a42e7ae9a11eb3f14967676207278a599
                          • Opcode Fuzzy Hash: 4457ca691b1a8a5747e33b1f613017cd2e378686471bd1305d205b16abc36b01
                          • Instruction Fuzzy Hash: FFF06D71805284AFEB118E59CCC8B67FF98EF91634F18C55AED085F386C3799844CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 016E44F8, Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: TEC:
                          • API String ID: 0-237161910
                          • Opcode ID: 49da254e6fb7a5729b681fe828d1c373e74cf65459e93c82ce31b8791a947624
                          • Instruction ID: 3734a93e8caab01acb232a814e9a8a322811db3bc637ebd6bada2cd7dc6b82d4
                          • Opcode Fuzzy Hash: 49da254e6fb7a5729b681fe828d1c373e74cf65459e93c82ce31b8791a947624
                          • Instruction Fuzzy Hash: 4F513BB4E12209DFCB04CFA9D9456EEBBF2FB88200F10856AD516E7354DB349A16CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0307E570, Relevance: .3, Instructions: 315COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d89f8857507c9b59abc2e3ef93268006436f4da5396677ae3e3f2f287829602d
                          • Instruction ID: 7af6303e846f042e76fc321fa8250b43503fd1a879be6dcd6cc5c82390600304
                          • Opcode Fuzzy Hash: d89f8857507c9b59abc2e3ef93268006436f4da5396677ae3e3f2f287829602d
                          • Instruction Fuzzy Hash: 9112EAF14117468BD318EFE4E5981893BA3B78A32CF506308D2611FAD9D7B691CACF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0307C124, Relevance: .3, Instructions: 265COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f7af443ef6ae7f15eb587611b3726a2e7c7628a01e6393428cdf6b0dbf1505b
                          • Instruction ID: 78859b3bc33111ff262618e42bdb64917908d051d28380b802921301a7942484
                          • Opcode Fuzzy Hash: 5f7af443ef6ae7f15eb587611b3726a2e7c7628a01e6393428cdf6b0dbf1505b
                          • Instruction Fuzzy Hash: D7A15E36E012198FCF19DFA5C9445DEBBF6FF89300B15856AE805BB260DB31A955CF80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0307E563, Relevance: .2, Instructions: 223COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279530001.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0836aa90fe57635d16e1fef1eb9d02e7dbdccb7cecd83a779d0e89bc7f6d7b5
                          • Instruction ID: afe2c817856729f1fe76c3f83120f66f349df50bd5bdb09ac03d1542b84fe67a
                          • Opcode Fuzzy Hash: c0836aa90fe57635d16e1fef1eb9d02e7dbdccb7cecd83a779d0e89bc7f6d7b5
                          • Instruction Fuzzy Hash: CFC122B14117458BD718EFA4E8881897BB3FB8A32CF505308D2612F6D9D7B690CACF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E4E63, Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40e652bef34401e974322b448832d6a0c30008e05688acf4138a6ea860ad6dc3
                          • Instruction ID: bcbaeb20b92d432b1bed86f438a29787be5ded6bb7bc282002a183702923ab0e
                          • Opcode Fuzzy Hash: 40e652bef34401e974322b448832d6a0c30008e05688acf4138a6ea860ad6dc3
                          • Instruction Fuzzy Hash: CE613C71D05629CBDB28CF6ACC447D9FAF6AFD9300F14D6AA940DA7215EB305A86CF40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1128, Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dba3aebcc09ccd367139ed69c2e6578d8accd87eb337b664e004f3bccc7e29b4
                          • Instruction ID: cfd061723377de3bfb29606e97fb043468774401a523be742ba0a8bb719386ef
                          • Opcode Fuzzy Hash: dba3aebcc09ccd367139ed69c2e6578d8accd87eb337b664e004f3bccc7e29b4
                          • Instruction Fuzzy Hash: 90210671E116198BDB18CFABD9406EEFBF7AFC9210F14C17AD508A7214EB304A028B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E05C8, Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: abbf9055d6182ab34149df9dc227637e25198f84a2fe490fb70655df931e222d
                          • Instruction ID: d3ac68c1e2727f6055ed9d62500438476103e40142f7088f89a388dac95f6c5f
                          • Opcode Fuzzy Hash: abbf9055d6182ab34149df9dc227637e25198f84a2fe490fb70655df931e222d
                          • Instruction Fuzzy Hash: B9111A71E116188BEB08CFAAD940ADEFBF7ABC8210F14C16AD408A7214DB715A528B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E1119, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eac81d4f25fab84f56cc68b494d2c65f73e2da7e9052be40fc9058608b0fa480
                          • Instruction ID: b9f3e1f6d6a5a733d0a7d9e9350c815159f8906c67f4d6da7b480c3b27806bc8
                          • Opcode Fuzzy Hash: eac81d4f25fab84f56cc68b494d2c65f73e2da7e9052be40fc9058608b0fa480
                          • Instruction Fuzzy Hash: CB211A70E116198BDB18CFABD94069EFAF7AFC9300F14C17AD808A7354DB3049028F55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016E05B8, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.279390905.00000000016E0000.00000040.00000001.sdmp, Offset: 016E0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96abced7347f63ef03d534e453d46446478b76718ee61679f0586e40b4ac2a0a
                          • Instruction ID: dd4703b4a2aaf54ad567e072d84b98ccdb0be3913b68993a12ba54f6edd622e1
                          • Opcode Fuzzy Hash: 96abced7347f63ef03d534e453d46446478b76718ee61679f0586e40b4ac2a0a
                          • Instruction Fuzzy Hash: 48115C71E116088BEB08CF6AD940A9EBAF7AFC8300F14C12AD408A7354DB304A428F50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: KAF-PR-21-F-3089_pdf.exe PID: 5760 Parent PID: 4932 KAF-PR-21-F-3089_pdf.exeCOMMON

                          Executed Functions

                          Function 00B747C0, Relevance: 2.1, APIs: 1, Instructions: 560COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000002.530197868.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: edfcdb7427938dfb3c40f9bffd95b472c43fc941f8f799de379fa3753f218761
                          • Instruction ID: 14f7f6855eae9ba7b5ee4c417a77fac827ab673c9f464298624708de2b2ade12
                          • Opcode Fuzzy Hash: edfcdb7427938dfb3c40f9bffd95b472c43fc941f8f799de379fa3753f218761
                          • Instruction Fuzzy Hash: E0229D30A002058FCB15EBB4D5587AEBBF2AF85305F14C8AAD429AB395DB39DC46CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01096B1F, Relevance: 6.1, APIs: 4, Instructions: 142threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 01096BB0
                          • GetCurrentThread.KERNEL32 ref: 01096BED
                          • GetCurrentProcess.KERNEL32 ref: 01096C2A
                          • GetCurrentThreadId.KERNEL32 ref: 01096C83
                          Memory Dump Source
                          • Source File: 00000007.00000002.536897629.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: e5adfc37896a90899952b60cfbc1edb5d3ab1d8a0348d88a92cfe9c593fcddf9
                          • Instruction ID: 9392997a819bc854bb8011171cbdb119ef98ccdfce2558e6505250a66a1a00a2
                          • Opcode Fuzzy Hash: e5adfc37896a90899952b60cfbc1edb5d3ab1d8a0348d88a92cfe9c593fcddf9
                          • Instruction Fuzzy Hash: 45518AB09003888FDB14CFA9DA88BDEBFF0EF49314F24809AE458A7351D7355984CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01096B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 01096BB0
                          • GetCurrentThread.KERNEL32 ref: 01096BED
                          • GetCurrentProcess.KERNEL32 ref: 01096C2A
                          • GetCurrentThreadId.KERNEL32 ref: 01096C83
                          Memory Dump Source
                          • Source File: 00000007.00000002.536897629.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 12eb61fe2ff096bd5e05675eb72b58725dafe9afdc80947b9971ea34b78269f4
                          • Instruction ID: 503def51bc50d9dbd4fa4178b5a6ad1bbfa3b721a16c46fc5a363c74c6da9155
                          • Opcode Fuzzy Hash: 12eb61fe2ff096bd5e05675eb72b58725dafe9afdc80947b9971ea34b78269f4
                          • Instruction Fuzzy Hash: C15137B09006498FDB18CFA9D648BEEBBF4FF48314F20846AE459A7350D7756984CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01095190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010952A2
                          Memory Dump Source
                          • Source File: 00000007.00000002.536897629.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 49ece58d6f7e585af387ba0416f6e617507fa59413df0484800754bf7f78d48e
                          • Instruction ID: 571b3df70981043d59415a53b630c1f0d5fceec17fff0eb06f71213be4f04a23
                          • Opcode Fuzzy Hash: 49ece58d6f7e585af387ba0416f6e617507fa59413df0484800754bf7f78d48e
                          • Instruction Fuzzy Hash: 7C41E2B1D00308DFDF15CF9AC894ADEBBB5BF49314F24812AE819AB250D774A885CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00BAB560, Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00BAB669
                          Memory Dump Source
                          • Source File: 00000007.00000002.531429563.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: b75a5911f1a7c74c6510ab354380ac37de758de13aaaa8f04f4ab4d76b8f7063
                          • Instruction ID: 059aacaeb8485457fc56d5f6ee112544438767e16cc64bb7044950603fde340b
                          • Opcode Fuzzy Hash: b75a5911f1a7c74c6510ab354380ac37de758de13aaaa8f04f4ab4d76b8f7063
                          • Instruction Fuzzy Hash: EB4122B1E04248DFCB10CFA9C884ADEFBF5AF49300F15846AE828AB351D7749845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00BAB2A8, Relevance: 1.6, APIs: 1, Instructions: 105registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 00BAB3AC
                          Memory Dump Source
                          • Source File: 00000007.00000002.531429563.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 96b32adf9640dcb41000ac4e02b9bae11c2875789d1d86894695907a2a0774f5
                          • Instruction ID: 43014bbb90141486e5a07577749c16e8621146cf12441faeadc8ee28aa454588
                          • Opcode Fuzzy Hash: 96b32adf9640dcb41000ac4e02b9bae11c2875789d1d86894695907a2a0774f5
                          • Instruction Fuzzy Hash: 394146B0E043498FDB00CFA9C584A9EFFF5AF49304F28C1AAD419AB345D7759889CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01096964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 01097D01
                          Memory Dump Source
                          • Source File: 00000007.00000002.536897629.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: d0034f55b50530115ab7a57c5940e668377ea1f64526c79f45bc488cdafec67c
                          • Instruction ID: 6013495f4b8e93e59d79638ad32dc00f9d41f565f0011dff847b96574adba225
                          • Opcode Fuzzy Hash: d0034f55b50530115ab7a57c5940e668377ea1f64526c79f45bc488cdafec67c
                          • Instruction Fuzzy Hash: 8E4138B5A00349CFCB14CF99C498AAABBF5FF88314F24C859D559AB321D734A941DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00BA3944, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00BAB669
                          Memory Dump Source
                          • Source File: 00000007.00000002.531429563.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 904cc6a90a73d2572aa6b1a42fbb544eed5e583073f2b021d2e3ef8c3f07ac30
                          • Instruction ID: a03c7fa006dee4d7a317ce0336dda9ad6b8475094e9814cff10c9ca917911c0e
                          • Opcode Fuzzy Hash: 904cc6a90a73d2572aa6b1a42fbb544eed5e583073f2b021d2e3ef8c3f07ac30
                          • Instruction Fuzzy Hash: 1A31ECB1D042589FCB10CF9AC984ADEFBF5BF49310F54816AE829AB311D774A945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00BA3938, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 00BAB3AC
                          Memory Dump Source
                          • Source File: 00000007.00000002.531429563.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 04d19761ecd25d64b9e284c4d83ec1a261bb7462cac5d4287e869ae73e46c54b
                          • Instruction ID: 3a54a3e55699fea723dc6e0bf7247cbde762895eee5441686e57363f0686c0ef
                          • Opcode Fuzzy Hash: 04d19761ecd25d64b9e284c4d83ec1a261bb7462cac5d4287e869ae73e46c54b
                          • Instruction Fuzzy Hash: 81310FB1D042498FCB10CF99C584A8EFFF5FF49304F2881AAE819AB305C7759889CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01096D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01096DFF
                          Memory Dump Source
                          • Source File: 00000007.00000002.536897629.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 2b67e70460ea31ec50929d1147dfc08d4477f800180490eeab45ca6b0671135e
                          • Instruction ID: 1667d58542f462c9e1ae9d80ea3a10006dc69928f0f8324123d0f2120530f385
                          • Opcode Fuzzy Hash: 2b67e70460ea31ec50929d1147dfc08d4477f800180490eeab45ca6b0671135e
                          • Instruction Fuzzy Hash: 6921F3B5D002089FDB10CFAAD884ADEBBF8FB48324F14841AE954B7310D379A954DFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0109BD88, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 0109BE02
                          Memory Dump Source
                          • Source File: 00000007.00000002.536897629.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: ff7790724c75cc1d23cdc4e126cfb11eabcc0074cd956708055bdd5306422666
                          • Instruction ID: bfa8e8016f99564bc77c5b6b7dc93e0d8112ff3cf04532f4c29bb9ad6f2d8490
                          • Opcode Fuzzy Hash: ff7790724c75cc1d23cdc4e126cfb11eabcc0074cd956708055bdd5306422666
                          • Instruction Fuzzy Hash: 6A1164719023498FDF20DFA9D958B9EBBF8FB48324F20802AD445A7B40D7386548CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B74D18, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000007.00000002.530197868.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 1122ad4239392f55e2d6784e03f4a6100d2d1b3ba1728e593f4473541035569e
                          • Instruction ID: 48dc53d9d2f93c6ea6a9920a01cfe86d844ac4f25dcd4a10c708ccc91589e076
                          • Opcode Fuzzy Hash: 1122ad4239392f55e2d6784e03f4a6100d2d1b3ba1728e593f4473541035569e
                          • Instruction Fuzzy Hash: 68110770A00258DFDB14EFA9D594AADBBB2FF89305F10C8A9E019AB354DB359885CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: xepul.exe PID: 6464 Parent PID: 3292 xepul.exeCOMMON

                          Executed Functions

                          Function 02BD1B85, Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02BD1DC6
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: fc38e583a28297ac455f396fd93a370f40e3b41bd12ba6e6a5c22fbb8ad5e2ba
                          • Instruction ID: a2f75084cd17ea32db4ac8332c5fecd4b06924fb06bdf0e6484c2bb6b8295fcc
                          • Opcode Fuzzy Hash: fc38e583a28297ac455f396fd93a370f40e3b41bd12ba6e6a5c22fbb8ad5e2ba
                          • Instruction Fuzzy Hash: 10A12B75D10219CFDB14DFA8C881BEDBBB2FF48314F1489A9D809A7280EB749985DF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1B90, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02BD1DC6
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 3224aa91af0f7635acb6f3563b8c04b6979a50c56506751d851058e4f6599e24
                          • Instruction ID: ffe8b70404bc5676df5df66722a95f96723a0ae515495a314c81d7003ece6b9d
                          • Opcode Fuzzy Hash: 3224aa91af0f7635acb6f3563b8c04b6979a50c56506751d851058e4f6599e24
                          • Instruction Fuzzy Hash: 98912A71D102198FDB14DFA8C881BEDBBB2FF48314F1489A9D809A7280EB759985DF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0141DDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0141FE0A
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 847de6211d2efc41dba0a65d1e4b68e6238e7f8d2ac26a184cd74955947dd7e2
                          • Instruction ID: 61f6def141f0cb584e44d1e02fc5c27451496758ee858596a50c59f1abf4fa46
                          • Opcode Fuzzy Hash: 847de6211d2efc41dba0a65d1e4b68e6238e7f8d2ac26a184cd74955947dd7e2
                          • Instruction Fuzzy Hash: DF51D2B1D00308DFDB14CF99C884ADEBBB5FF48314F64812AE819AB264D774994ACF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0141FCEC, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0141FE0A
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 0391a41b579e6da5b388265efed25903d914f01e759ee14f9d4245c0626cfeac
                          • Instruction ID: e3c38d2c9bbd3ac78881f9187d423712928a03d3d531d4b48047c7e0932c8a84
                          • Opcode Fuzzy Hash: 0391a41b579e6da5b388265efed25903d914f01e759ee14f9d4245c0626cfeac
                          • Instruction Fuzzy Hash: 2F51E3B5D00309DFDB14CF99C480ADEBBB1FF48314F24812AE819AB224D774994ACF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01413DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01415421
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 750230671ce9e65450893694284a4cfceabd672f8c1a568e3b97dcd1f550a605
                          • Instruction ID: d07e1d70c46b1fd341d5cf3c755c0482b3da83995616ada2388eb0f615cd2215
                          • Opcode Fuzzy Hash: 750230671ce9e65450893694284a4cfceabd672f8c1a568e3b97dcd1f550a605
                          • Instruction Fuzzy Hash: 21410570D0061CCFDB24CFA9C884BDEBBB5BF49318F60856AD409AB251D7B56949CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0141536B, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01415421
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: a90ae15e71c74567237b00c06ecafb7ead9333ae897c4e2bbd03df951d082a54
                          • Instruction ID: ae9ee7388fa2365f1db4e396e46e5c0c2bb5003ad70203c73b465e02613ca7f3
                          • Opcode Fuzzy Hash: a90ae15e71c74567237b00c06ecafb7ead9333ae897c4e2bbd03df951d082a54
                          • Instruction Fuzzy Hash: 91411470D0061CCFDB24CFA9C884BDEBBB5BF49308F20856AD408AB255D775694ACF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1721, Relevance: 1.6, APIs: 1, Instructions: 85threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadContext.KERNELBASE(?,00000000), ref: 02BD17EE
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: ContextThread
                          • String ID:
                          • API String ID: 1591575202-0
                          • Opcode ID: d8810fc64b03ddaecc210ee1c9399301c457662f733fa9878978b8a11a24754e
                          • Instruction ID: 182a10912e6d2fd848f4159f4c18dc165011a64bc131f97f9082eef8ab28187b
                          • Opcode Fuzzy Hash: d8810fc64b03ddaecc210ee1c9399301c457662f733fa9878978b8a11a24754e
                          • Instruction Fuzzy Hash: 7E31D2B59043888FCB11CFA9C8917EEBFF4EF49214F58846AD448A7242E7389945CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1901, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02BD1998
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: f17fb4ecafeca48d9b726e37259582890ffe33ec7571f28af5ad44a1620177d7
                          • Instruction ID: bc959689391de0846223034d211becf023dca33163fe8f152158b4197c3487fa
                          • Opcode Fuzzy Hash: f17fb4ecafeca48d9b726e37259582890ffe33ec7571f28af5ad44a1620177d7
                          • Instruction Fuzzy Hash: 8E2157759003199FCB00CFA9C884BEEBBF5FF48324F50882AE919A7240D7789945CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1020, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 374912e4aaa82a5497c50d78a463b631712638ca4c0f52096aacb6604af07aa4
                          • Instruction ID: 4d8c4d75a3a2f68591e55df98b45d729c93efbfe2c0a9d0fa0e27d0a60cc0b03
                          • Opcode Fuzzy Hash: 374912e4aaa82a5497c50d78a463b631712638ca4c0f52096aacb6604af07aa4
                          • Instruction Fuzzy Hash: 07212775D002088FCB10DFA9D8457EEFBF5EB88314F60896AC419A7340DB755A46CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1908, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02BD1998
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 2de990fa06cb2162858ebd5a15e90d7e52ecddc68e534929f4566f11a5a54987
                          • Instruction ID: bfd88c10507261b6ffaeb613f0f4f03a1093b9cb2a19c6658fe41224f324b086
                          • Opcode Fuzzy Hash: 2de990fa06cb2162858ebd5a15e90d7e52ecddc68e534929f4566f11a5a54987
                          • Instruction Fuzzy Hash: 6E2136759003499FCF00CFA9C984BEEBBF5FF48314F10882AE919A7240D7789945CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD19F1, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02BD1A78
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 220d0135ea3fc8d207c1e7307b05315558836cd7df5569bb06407bcaf7bebcc3
                          • Instruction ID: 037b973d66e0e8b512656496c50bae264873277d68b755c74e11b9c6cb004628
                          • Opcode Fuzzy Hash: 220d0135ea3fc8d207c1e7307b05315558836cd7df5569bb06407bcaf7bebcc3
                          • Instruction Fuzzy Hash: 02214A719002199FCB00CFA9C880BEEBBF5FF48324F54852AE929A7240D7789945DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01419800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0141B87E,?,?,?,?,?), ref: 0141B93F
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 9850f9fa1a432f2d02924ebc3b680db3d3346c1550230d0e2e1c2ec6b740bd52
                          • Instruction ID: 7d51e18cd14cf8631a1cc852674d7435b6fc0c36c52eb01ed956194a2f906644
                          • Opcode Fuzzy Hash: 9850f9fa1a432f2d02924ebc3b680db3d3346c1550230d0e2e1c2ec6b740bd52
                          • Instruction Fuzzy Hash: F221E4B59002089FDB10CFA9D584BEEBFF8EB48320F14841AE915B7310D374A945DFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1770, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadContext.KERNELBASE(?,00000000), ref: 02BD17EE
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: ContextThread
                          • String ID:
                          • API String ID: 1591575202-0
                          • Opcode ID: f43f11d0ff37d4b7775cacff4b8a47ce4184d4bc0e01374986448cebfd4b6589
                          • Instruction ID: e79d33694f2a337fdd176c2698435ff9827235e57352e6fb85b92f2120b73e9d
                          • Opcode Fuzzy Hash: f43f11d0ff37d4b7775cacff4b8a47ce4184d4bc0e01374986448cebfd4b6589
                          • Instruction Fuzzy Hash: 0B212975D003098FCB10CFA9C484BEEBBF9EF48264F54842AD419A7340DB78A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD19F8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02BD1A78
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: ed6aa4fceb052ea4e4b880444d1a53707b287515422f68d0bab2b03537cd4be4
                          • Instruction ID: 67256e69c3c7e43dc29457e722b87f6c2ab8a29a4ea91c4b7f40cbe381267bd9
                          • Opcode Fuzzy Hash: ed6aa4fceb052ea4e4b880444d1a53707b287515422f68d0bab2b03537cd4be4
                          • Instruction Fuzzy Hash: AE2128719002499FCB00CFA9C884BEEBBF5FF48314F54842AE529A7250D7789945DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0141B8B3, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0141B87E,?,?,?,?,?), ref: 0141B93F
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: ec3f6693cc494498daf1b477ccc27ad4d9aff22b327225c52e582fbe61db7c58
                          • Instruction ID: 2a3d05b4dfcafa58928649f859ad18f05c83623eba310ede78419958ac2b0219
                          • Opcode Fuzzy Hash: ec3f6693cc494498daf1b477ccc27ad4d9aff22b327225c52e582fbe61db7c58
                          • Instruction Fuzzy Hash: C021E4B59002499FDB10CFA9D984BEEBFF4EB48320F14841AE955A7310D374A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01419AF3, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01419951,00000800,00000000,00000000), ref: 01419B62
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 1db14dd1bd57054e85fbbe61c0841cc64c275d5c736ad48b5d5010b765603ef9
                          • Instruction ID: 1a42c0c206900e5a16e755a04a2d3b04f43c2c9b0216e164cdfe0c327c56f43b
                          • Opcode Fuzzy Hash: 1db14dd1bd57054e85fbbe61c0841cc64c275d5c736ad48b5d5010b765603ef9
                          • Instruction Fuzzy Hash: DB2162B6D002088FCB10CFA9C444AEAFBF4FB48328F14852AD51AA7211C375A54ACFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1840, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02BD18B6
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: d31f8198af629d1131073221892f89ea1b7ee0bd30203c7adbfb392303b96724
                          • Instruction ID: edd59ddd5423c5426d0bbd59dace04bb2aa5ede12e71a8b9174eee8789a69c11
                          • Opcode Fuzzy Hash: d31f8198af629d1131073221892f89ea1b7ee0bd30203c7adbfb392303b96724
                          • Instruction Fuzzy Hash: CB117C769002089FCF10DFA9D844BEFBBF9EF48324F14882AD519A7250C779A945DFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01419478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01419951,00000800,00000000,00000000), ref: 01419B62
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: ed0c1638cc4788ccff8d801b2ea9852ebba97f00c87d6b3959a11184ba8a62c9
                          • Instruction ID: d2195702b4f3a99166f3b4a02b1fe1708c44d916064a390cc3ae1c13ce4b6ae0
                          • Opcode Fuzzy Hash: ed0c1638cc4788ccff8d801b2ea9852ebba97f00c87d6b3959a11184ba8a62c9
                          • Instruction Fuzzy Hash: 621106B6D002099FDB14CF9AD484ADEFBF4FB48324F54852AD519A7210C375A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1848, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02BD18B6
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 24fd51048af3bc01803e7ca679d4f5108fdd5372c7711a02a6844fdf69eb0deb
                          • Instruction ID: f11793cf9f44d2f599d982246e61d65b3133386b175bf378295e536b61819c7f
                          • Opcode Fuzzy Hash: 24fd51048af3bc01803e7ca679d4f5108fdd5372c7711a02a6844fdf69eb0deb
                          • Instruction Fuzzy Hash: 721179759002088FCF10CFA9D844BEFBBF9EF48324F14882AD519A7250C775A944CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1070, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 3b16a8a807a8dcb5aa5f5a64de608d6e9f27054a5356eca8e9648f6bba200eb6
                          • Instruction ID: 65a50709307208cf88061e062b5c34de8f38fa93bc28e1a5fbd4727d3401a4db
                          • Opcode Fuzzy Hash: 3b16a8a807a8dcb5aa5f5a64de608d6e9f27054a5356eca8e9648f6bba200eb6
                          • Instruction Fuzzy Hash: 161158759002488FCB10DFAAD4447EFFBF9EB48224F24882AC419B7200DB79A945CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD1078, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: e2187c15158896c1d998e5fab60efd0f0129934490dbb248565032c2e126fd66
                          • Instruction ID: dc35925cc1faf45a4864e871a0d919e6e72adf7aa99ee511bb3b37dd6db95912
                          • Opcode Fuzzy Hash: e2187c15158896c1d998e5fab60efd0f0129934490dbb248565032c2e126fd66
                          • Instruction Fuzzy Hash: 24113A75D002488FCB10DFAAD4447EFFBF9EB48224F14882AC519B7240DB79A945CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01419869, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014198D6
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: ebc0953d9245723a960462d96e21add72f2d4594ccc9f020c655b211a67f6ff3
                          • Instruction ID: 2677022481f64a14ab998263ae4c5613dbaab22d73539a783703ebbdcf000f63
                          • Opcode Fuzzy Hash: ebc0953d9245723a960462d96e21add72f2d4594ccc9f020c655b211a67f6ff3
                          • Instruction Fuzzy Hash: 1E112DB5D002498FDB10CF9AC444BDEBBF4EF88224F14846AC869B7210C379A545CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01419870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014198D6
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 4dd575da5558bec80aa9dddcaab881933fda365fa039def4f49d960729b956aa
                          • Instruction ID: 01aa981fed598a6118829624c2fe9c3371426c2986b1c9496c355c7a75c61813
                          • Opcode Fuzzy Hash: 4dd575da5558bec80aa9dddcaab881933fda365fa039def4f49d960729b956aa
                          • Instruction Fuzzy Hash: CA110FB5D002098FDB10CF9AD444BDEFBF8EB88324F14842AD829B7210C375A545CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0141DE04, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0141FF28,?,?,?,?), ref: 0141FF9D
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: LongWindow
                          • String ID:
                          • API String ID: 1378638983-0
                          • Opcode ID: 8ebdd645cf744ac50366691bcd9bee4f7de8729b1d5a3968561cd5f41bfbebc3
                          • Instruction ID: 96a7bd42bb751bee42698acb0aa7c24eb32010ca88f4450cab11286aa457083e
                          • Opcode Fuzzy Hash: 8ebdd645cf744ac50366691bcd9bee4f7de8729b1d5a3968561cd5f41bfbebc3
                          • Instruction Fuzzy Hash: A11106B59002089FDB10CF99D584BDEBBF8EB48324F10841AE919A7350C3B4A949CFE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD5910, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 02BD5975
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: ca2b703d00e1d1a0699b70d17def90247e4e8bca680e545f11305d17872f6227
                          • Instruction ID: 51b06140b642833514b1566758b508d98da58b6cd95cecc4e8f1959c0b16e89d
                          • Opcode Fuzzy Hash: ca2b703d00e1d1a0699b70d17def90247e4e8bca680e545f11305d17872f6227
                          • Instruction Fuzzy Hash: AC1106B59003489FCB10CF99C584BDFFBF8EB48324F64855AE959A7200D379A984CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0141FF38, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0141FF28,?,?,?,?), ref: 0141FF9D
                          Memory Dump Source
                          • Source File: 00000013.00000002.392905679.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false
                          Similarity
                          • API ID: LongWindow
                          • String ID:
                          • API String ID: 1378638983-0
                          • Opcode ID: bb3848dadaa807fa7d58c5738412331fe37218961c5a1c7847df17e4607e678f
                          • Instruction ID: 353f0e108b525e6c1a7ac6a9fb2e5859b64cfd3a57f69b8743404b32987d5f20
                          • Opcode Fuzzy Hash: bb3848dadaa807fa7d58c5738412331fe37218961c5a1c7847df17e4607e678f
                          • Instruction Fuzzy Hash: 9D1103B58002088FDB10CF99D589BDEBBF8EB48324F14851AD959B7741D378A949CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02BD5918, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 02BD5975
                          Memory Dump Source
                          • Source File: 00000013.00000002.393239673.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 5350c1ff4d2192fe93fd27a28281488061476c7ecced5012649f638abd29989f
                          • Instruction ID: 311a8a37466fbf37a395ea19a5accf8d2080e28fa0bf0295bca810cdfb0ad149
                          • Opcode Fuzzy Hash: 5350c1ff4d2192fe93fd27a28281488061476c7ecced5012649f638abd29989f
                          • Instruction Fuzzy Hash: 561115B58003489FCB10CF99C584BDEFBF8EB48324F14845AE519A7200D375A984CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0133D4C4, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392349292.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2e14d66e9b24c0a8f5ef43208196d42fc6ac1bd5b73872db948759b401b09fd
                          • Instruction ID: 3ca47fceff7c95f0170ab994e0df52ff9a297f39e416fe6056d782b1ea3f1cdd
                          • Opcode Fuzzy Hash: d2e14d66e9b24c0a8f5ef43208196d42fc6ac1bd5b73872db948759b401b09fd
                          • Instruction Fuzzy Hash: 9821F171500244DFEB01DF94D9C0F66BB6AFBC822CF648569E9050B686C336E456CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0134D1D4, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392519880.000000000134D000.00000040.00000001.sdmp, Offset: 0134D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b3d80145538eb58d48863d548278367055265a225ef3ceb7138d43314784fd6
                          • Instruction ID: d237e5b9b93b834588ed48725702bf2f9b903f503cbc726b1114ba1f926b8866
                          • Opcode Fuzzy Hash: 9b3d80145538eb58d48863d548278367055265a225ef3ceb7138d43314784fd6
                          • Instruction Fuzzy Hash: B8210475604244EFDB01CF94D9C0F26BBE9FB94328F24CA6DE9094B746C336E846CA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0134D01C, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392519880.000000000134D000.00000040.00000001.sdmp, Offset: 0134D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0dc0d5ee217393f8de4a6a410c6b115b188c7d1d19ba0dc8070d0908fbb6e1ba
                          • Instruction ID: 41e2dd365e102bec0c8aade7b62b2abce6807a3d37ab36285e2a8a9ba80ec1e4
                          • Opcode Fuzzy Hash: 0dc0d5ee217393f8de4a6a410c6b115b188c7d1d19ba0dc8070d0908fbb6e1ba
                          • Instruction Fuzzy Hash: 9D213475604244DFDB15CFA4D8C4F26BBA9FB94358F20C96DD80A4B746C33AE847CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0134D006, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392519880.000000000134D000.00000040.00000001.sdmp, Offset: 0134D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 651b401cf9ac3fd1322833d2361b045034f5ee2a4e8ffbf094ba5bd0ea7d151d
                          • Instruction ID: 0a4d9c9e021d290b88700ff8b0c96bdbb7d76afa832c8b7f737bc956cd3851fb
                          • Opcode Fuzzy Hash: 651b401cf9ac3fd1322833d2361b045034f5ee2a4e8ffbf094ba5bd0ea7d151d
                          • Instruction Fuzzy Hash: B02150755083809FCB02CF54D994B11BFB1EB46214F28C5DAD8498F297C33A985ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0133D4BF, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392349292.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
                          • Instruction ID: ffb49066ca57a51d23d0425b3190c5d4c01fcc35e3e9d7a197bd5df279ff81af
                          • Opcode Fuzzy Hash: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
                          • Instruction Fuzzy Hash: 3211D376504280CFDB12CF54D5C4B16BF71FB84328F24C6A9D8450B656C336D45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0134D1CF, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392519880.000000000134D000.00000040.00000001.sdmp, Offset: 0134D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
                          • Instruction ID: 9ba9213378dc10a1bd6ebf84431b8377a697023902e18ef2e4a51b6eca578679
                          • Opcode Fuzzy Hash: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
                          • Instruction Fuzzy Hash: 32118B75504280DFDB12CF54D5C4B15BBB1FB84228F28C6A9D8494B756C33AE45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0133D745, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392349292.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d5cd4eaaaee8a1ced68e8e703bb9ca8e503efed1042c4e511f0397e92b3c5de
                          • Instruction ID: 51c829f3e395b19b975ecce0628217fe179df6f8574d92518f4ee2aeff69b0a1
                          • Opcode Fuzzy Hash: 0d5cd4eaaaee8a1ced68e8e703bb9ca8e503efed1042c4e511f0397e92b3c5de
                          • Instruction Fuzzy Hash: 7401F7754043C49AE7128EA9CC84BA7BB9CEF8527CF48C55AED041B242D3799884C6B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0133D744, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.392349292.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bcdd79a7cd89c0051549367720f8b8c5d93acbce49af817cefe3e8103081433
                          • Instruction ID: d92f35fecb66397117674b3303dae0479dc5f753a1f1659176368fe23a1b804c
                          • Opcode Fuzzy Hash: 2bcdd79a7cd89c0051549367720f8b8c5d93acbce49af817cefe3e8103081433
                          • Instruction Fuzzy Hash: 97F062714042849EE7118E59CCC8BA3FF98EB85678F18C55AED085F386C3799844CAB5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: xepul.exe PID: 6884 Parent PID: 3292 xepul.exeCOMMON

                          Executed Functions

                          Function 02591B85, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02591DC6
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 438d5ba8d15519c215a6f45ceb8fe0bfae76cc3c9bb61325453b2573d9d58d72
                          • Instruction ID: 35d069c431de8e1e03bc1817a0844ee21a5d30afcc60795e0edd817c06481a86
                          • Opcode Fuzzy Hash: 438d5ba8d15519c215a6f45ceb8fe0bfae76cc3c9bb61325453b2573d9d58d72
                          • Instruction Fuzzy Hash: 8FA16E75D0062ACFDF14CFA8C8807EDBBB6BF48314F148569D819A7280DB749985CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591B90, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02591DC6
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 811cac43011b8750a19c62dc74053237bc81ecc260a36b9f202268dcdaa0d512
                          • Instruction ID: 0bc354ec04bfe4e8511ff267275d1664038fef8eb489e3b22f2432337b5673c0
                          • Opcode Fuzzy Hash: 811cac43011b8750a19c62dc74053237bc81ecc260a36b9f202268dcdaa0d512
                          • Instruction Fuzzy Hash: B8915E75D0062ACFDF14CFA8C880BEDBBB6BF48318F148569D819A7280DB749985CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6FCEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B6FE0A
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: f9f270ca5eb09f9adf09894027e7cb036744e4793747d81c9f101fd16a52497d
                          • Instruction ID: 4fd59a3893583d046841b09c48138b1313703dc8cd516a325aed00298448946e
                          • Opcode Fuzzy Hash: f9f270ca5eb09f9adf09894027e7cb036744e4793747d81c9f101fd16a52497d
                          • Instruction Fuzzy Hash: 4051BDB5D002099FDB14CFA9D884ADEBFF5FF48314F24812AE819AB250D775A985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6DDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B6FE0A
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: e4157a3fcd69d9379826e0fa928ad17fd0c58c55077927d8f26a609bf4a204e5
                          • Instruction ID: 506b00eb93ef1e9bc38b059cc1abf73fcaf5a720c6e78948e49a0a2b2f52de66
                          • Opcode Fuzzy Hash: e4157a3fcd69d9379826e0fa928ad17fd0c58c55077927d8f26a609bf4a204e5
                          • Instruction Fuzzy Hash: 7D51CFB5D002099FDB14CF99D884ADEBFF5FF48314F24816AE819AB250D775A885CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B63DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00B65421
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: e4391b71eecd4df3da098a5bb921d4d74ad8f85bb4e484b3096d9ed4c3e411c5
                          • Instruction ID: d46528fe2f5caf9d8244c0dfe025cb733bb663ba45cf1bc55e389330c9602d62
                          • Opcode Fuzzy Hash: e4391b71eecd4df3da098a5bb921d4d74ad8f85bb4e484b3096d9ed4c3e411c5
                          • Instruction Fuzzy Hash: 4F41E075C0061CCBDB24CFA9C884BDEBBF5BF48308F2085A9D409AB255DB756989CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591721, Relevance: 1.6, APIs: 1, Instructions: 95threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadContext.KERNELBASE(?,00000000), ref: 025917EE
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ContextThread
                          • String ID:
                          • API String ID: 1591575202-0
                          • Opcode ID: fd665069cf72e79a0f9361701d02d9954e9d89eb8c7b646c39e1daa2d2b5e6ce
                          • Instruction ID: 7c8ae0301660a488fdbba0c17332f508fe224e936a3b733374026d988bdb7291
                          • Opcode Fuzzy Hash: fd665069cf72e79a0f9361701d02d9954e9d89eb8c7b646c39e1daa2d2b5e6ce
                          • Instruction Fuzzy Hash: EC318D759003459FDB04CFA9C4967EEBFF4EF49228F28C46ED848A7242C779954ACB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6536E, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00B65421
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 2689da70a851228c6c100c26918d937d8ad618f30920e38674343b7823a020a8
                          • Instruction ID: 175af162c8c802146264d48fe4db46875d239ba6445f9876d0c5dc97738e9d88
                          • Opcode Fuzzy Hash: 2689da70a851228c6c100c26918d937d8ad618f30920e38674343b7823a020a8
                          • Instruction Fuzzy Hash: D041D175C00619CBDB24CFA9C884BDEBBB5BF48308F2085A9D408AB255DB756989CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591901, Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02591998
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: b7a82b0438e8beeb27e4cdd043864d7c326f390ebf31e941805d866a4088d8f8
                          • Instruction ID: fc7e2038abd3306442f0b8a23269d7f66c6485c79a0250835937790a26b332a2
                          • Opcode Fuzzy Hash: b7a82b0438e8beeb27e4cdd043864d7c326f390ebf31e941805d866a4088d8f8
                          • Instruction Fuzzy Hash: 7A2144759003599FCF00CFA9C984BEEBBF5FF48318F10882AE919A7240C7789955CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591020, Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: baf69a8f1a74cf69ca4fa82fbe25b8e7761f0ffeafacc5a4820538938e72e64b
                          • Instruction ID: 6616f4ac13dd1534dcc195193793f9aeb9d58c7ae5e00f529c4d04e8364a4f8b
                          • Opcode Fuzzy Hash: baf69a8f1a74cf69ca4fa82fbe25b8e7761f0ffeafacc5a4820538938e72e64b
                          • Instruction Fuzzy Hash: D32146B4D04249CFDB10DFA9D4447EEFBF5AB48218F20856AC419A7340CB755A46CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591908, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02591998
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: b9ea83e84f85248704b628e56aa5325bf900bbe02cffd88e407cb453b792176c
                          • Instruction ID: 32514174fdda2f6ff71c7946e9dc58cc26b1911a8d57bcca0d33b7e59e8e4b61
                          • Opcode Fuzzy Hash: b9ea83e84f85248704b628e56aa5325bf900bbe02cffd88e407cb453b792176c
                          • Instruction Fuzzy Hash: 472134759003599FCF10CFA9C984BEEBBF5FF48314F10882AE919A7240D778A945CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 025919F1, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02591A78
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: a2ca1ece13de6a0f6c1f37f8f1774bf2e8ac676ba713082ec2bd7d7631123fe2
                          • Instruction ID: 7a032bddcbded522ade1a62180f28992187e36a045ddb8831c73a13a78cd2e7b
                          • Opcode Fuzzy Hash: a2ca1ece13de6a0f6c1f37f8f1774bf2e8ac676ba713082ec2bd7d7631123fe2
                          • Instruction Fuzzy Hash: E0213675D002599FCB00CFA9D884AEEBBF5FF48324F14852AE519A7250D7789945CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6B8B2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6B87E,?,?,?,?,?), ref: 00B6B93F
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: c85d904afe0fa6a750633488cf438b8019ca910b137c90aae518e0535394504f
                          • Instruction ID: 9b20be76c93c7b5dd04a2543ffe0d03961858e0c32b1820f84e628ce07174ee5
                          • Opcode Fuzzy Hash: c85d904afe0fa6a750633488cf438b8019ca910b137c90aae518e0535394504f
                          • Instruction Fuzzy Hash: 7B21E4B5900219AFDB10CFA9D484ADEBFF9EB48324F14841AE915B3350D378A994CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6B87E,?,?,?,?,?), ref: 00B6B93F
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: fd0cb1f9a0c8c76942ab81ecc13f187a4fd5970df1287aaefbbd49565e96a3e5
                          • Instruction ID: d9f8aeb5dfe77eb778bfbd8963021a17114ce01a61c7e78dd6662e29e024692c
                          • Opcode Fuzzy Hash: fd0cb1f9a0c8c76942ab81ecc13f187a4fd5970df1287aaefbbd49565e96a3e5
                          • Instruction Fuzzy Hash: 1A2116B5D00208AFDB10CFA9D484AEEBBF8EB48324F14845AE914B3310D378A954DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591770, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadContext.KERNELBASE(?,00000000), ref: 025917EE
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ContextThread
                          • String ID:
                          • API String ID: 1591575202-0
                          • Opcode ID: a1c3fba0cfa01a3b8b25cce1787a42fa628fefb4122896e2259a2e2b64905156
                          • Instruction ID: cc75f852f2c0bbf291ce317d0ef2679ad0eeec247cbf1984fedfdf43c586adc7
                          • Opcode Fuzzy Hash: a1c3fba0cfa01a3b8b25cce1787a42fa628fefb4122896e2259a2e2b64905156
                          • Instruction Fuzzy Hash: 4C2118759006198FCB10CFA9C484BEEBBF5EF48268F14C42AD519A7340DB789945CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 025919F8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02591A78
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 800b2a6cecf9d655cb5478c29db19026074f9e1aff2f4eb4ebdd95c7f0e8879b
                          • Instruction ID: 516b9e7b0752ee5de627c7110e1578c28e375ff28acc8b8cd77d9b34c8145949
                          • Opcode Fuzzy Hash: 800b2a6cecf9d655cb5478c29db19026074f9e1aff2f4eb4ebdd95c7f0e8879b
                          • Instruction Fuzzy Hash: 9F212575D002599FCF10CFA9D884AEEBBF5FF48314F54882AE919A7240C7789945DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B69951,00000800,00000000,00000000), ref: 00B69B62
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 643d574a09eaef93c50584fa446993463015d5dd2799505a43a123d8cea1ef8b
                          • Instruction ID: fc3d004eeaeeb5bf29a77cdcd02fd29c72f0491e446bf7945dc2fa29fdd23f74
                          • Opcode Fuzzy Hash: 643d574a09eaef93c50584fa446993463015d5dd2799505a43a123d8cea1ef8b
                          • Instruction Fuzzy Hash: B211D6B69002499FDB10CF9AD484ADEFBF8EB58314F14856AD519A7200C379A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69AF2, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B69951,00000800,00000000,00000000), ref: 00B69B62
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: d81627b767b4938f674c19059a5e0d0ea0f68dca43ded9b77d5ae20ac233b2a8
                          • Instruction ID: a924078c249cac8f2bd678e05301285daa115d76350a40c985be9116ee38b45a
                          • Opcode Fuzzy Hash: d81627b767b4938f674c19059a5e0d0ea0f68dca43ded9b77d5ae20ac233b2a8
                          • Instruction Fuzzy Hash: 161126B6D002099FDB10CF9AD484ADEFBF8EB48324F14852ED516A7200C379A945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591840, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 025918B6
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 21138b17e8e3803a5209f32f79ed516aa57c14c01664ba6f1501fb8433a79a70
                          • Instruction ID: c21cf7b4ab427c4cba1e8eb148d46a79ded89fe5119afa2831b8703ed469b5f8
                          • Opcode Fuzzy Hash: 21138b17e8e3803a5209f32f79ed516aa57c14c01664ba6f1501fb8433a79a70
                          • Instruction Fuzzy Hash: 1F1167769002098FCF10CFA9D4447EEBBF6FB48328F24882AD519A7250C7759955DF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591848, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 025918B6
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 86d2e899ee9928a609a1b02f0bfe39becbf0d96de8a61ba7d2d384099583da71
                          • Instruction ID: 9390a6f0d58aee43b4fd75fda059eed821a3cbafa5613701450e04bfe60041f9
                          • Opcode Fuzzy Hash: 86d2e899ee9928a609a1b02f0bfe39becbf0d96de8a61ba7d2d384099583da71
                          • Instruction Fuzzy Hash: E11167759002499FCF10CFA9D844BEFBBF9EF48324F248829E519A7200C7759945DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02596301, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 02596360
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 05340038171f3f4377eecb08bdff4b24b910036ea735b90a3374159ced7d12e0
                          • Instruction ID: ced3e40f296f80360474d2d08b143b7ab9683c4ee9d6cd15d9e7806115438c7f
                          • Opcode Fuzzy Hash: 05340038171f3f4377eecb08bdff4b24b910036ea735b90a3374159ced7d12e0
                          • Instruction Fuzzy Hash: 86114CB5D002098FCB10CF99D5857DEBBF4FB48324F24842AD968A7340D778A589CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02595910, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 02595975
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 33c51658b67a84cb3e9d2f09e475286ebc5c68928210188ed1c340731e05a37b
                          • Instruction ID: b9000e5c2dcc2ba125740a32cc5daa7355555a201f9263afd862d1a5c039c9e6
                          • Opcode Fuzzy Hash: 33c51658b67a84cb3e9d2f09e475286ebc5c68928210188ed1c340731e05a37b
                          • Instruction Fuzzy Hash: 021156B59002498FEF11CF99D488BEEBFF4FB08328F24844AD515A7211D374A999CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591078, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 32babdca3e7d63a48987066ff133f054a6e7e83fa2f76a57f64f7ca43d640782
                          • Instruction ID: 7fb36a53fb41f0be880bb9923e0fcefd19dd753215ee8cd74f5037d3bd11b5a9
                          • Opcode Fuzzy Hash: 32babdca3e7d63a48987066ff133f054a6e7e83fa2f76a57f64f7ca43d640782
                          • Instruction Fuzzy Hash: 451128759002498FCB10DFAAD4447EEFBF9AB48228F248829D519A7240CB79A945CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02591070, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 39aab0cc14acb408986809726f1312e2e68daec550b4084ad649e78ca0ef927b
                          • Instruction ID: 964dc547d977bfc6b5bfe575acea52c55d33165db436da2079381bf5f9b53721
                          • Opcode Fuzzy Hash: 39aab0cc14acb408986809726f1312e2e68daec550b4084ad649e78ca0ef927b
                          • Instruction Fuzzy Hash: 89112B759006498FDB14CFA9D4447EEFBF9AF48318F248829C519A7340CB796945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69869, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00B698D6
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 011a52ad2a7e5b554bded3b0f29059c0933643fdf6c67c3ff195f46b34303b20
                          • Instruction ID: 7691c0fafb239eb626fa930426e7a1a591244042d529ca297004a6ae2e6e38b6
                          • Opcode Fuzzy Hash: 011a52ad2a7e5b554bded3b0f29059c0933643fdf6c67c3ff195f46b34303b20
                          • Instruction Fuzzy Hash: 961102B5C002498FCB10CF9AD444ADEFBF8EF49324F14856AD429B7600C379A54ACFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02596308, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 02596360
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: f8c480783a9c1a54b598176bbdab16afee901a9757a3d3793b5340ad5a0c94f9
                          • Instruction ID: 0465b6eedf68c1cfbc57b4d61e3042a7dbe32d4781ffa58c17a58eb7d2d0bdda
                          • Opcode Fuzzy Hash: f8c480783a9c1a54b598176bbdab16afee901a9757a3d3793b5340ad5a0c94f9
                          • Instruction Fuzzy Hash: 6F1148B58002098FCB10CF99D544BDEBBF8FB48324F24841AD568A7340C338A988CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00B698D6
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 7c2c723c68638597bc9e6afeadb00f5d5552c19a5f2013f71d4b4c8afdc7e1b5
                          • Instruction ID: 53f1ccc720a1c6454f4f378f2a0ecf938b4866e35ea3857ee78744f35df4614a
                          • Opcode Fuzzy Hash: 7c2c723c68638597bc9e6afeadb00f5d5552c19a5f2013f71d4b4c8afdc7e1b5
                          • Instruction Fuzzy Hash: EF11E0B6D006498FDB10CF9AD444BDEFBF8EB89324F14856AD429B7600C379A549CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6DE04, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00B6FF28,?,?,?,?), ref: 00B6FF9D
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: LongWindow
                          • String ID:
                          • API String ID: 1378638983-0
                          • Opcode ID: 23ddb90a88e119cf5a6d541af5d5c6582167cf1f08527a820aee7ad5e20ab55d
                          • Instruction ID: 6fb5b5b910b968eaab31c1fc38ea3ce3ac9e3550fd1a3555efaa6aa082fbd5e8
                          • Opcode Fuzzy Hash: 23ddb90a88e119cf5a6d541af5d5c6582167cf1f08527a820aee7ad5e20ab55d
                          • Instruction Fuzzy Hash: 47111CB59002099FDB10CF99D584BEEFBF8EB48324F208459E915B7340C374A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6FF38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00B6FF28,?,?,?,?), ref: 00B6FF9D
                          Memory Dump Source
                          • Source File: 00000017.00000002.427135579.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                          Similarity
                          • API ID: LongWindow
                          • String ID:
                          • API String ID: 1378638983-0
                          • Opcode ID: d2cf9f13a60c19c30b596067744d0191cba6a1ad5f3ea39bcc2f33f82d5adde5
                          • Instruction ID: bf44d526b58dc5f99c67c2ac5e642d11185fcfe4fc5102b809ea0c511b4fe1e0
                          • Opcode Fuzzy Hash: d2cf9f13a60c19c30b596067744d0191cba6a1ad5f3ea39bcc2f33f82d5adde5
                          • Instruction Fuzzy Hash: 461148B58002098FCB10CF99D488BDEFBF4FB48324F20845AE915A7340C378A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02595918, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 02595975
                          Memory Dump Source
                          • Source File: 00000017.00000002.427751957.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 6151c845810608b480d9bf83f359a39848c985ed5efb7fa97a134163779d9fa4
                          • Instruction ID: 7b14f4e18b4c4e028130b7fde6af9bc726b735470a591e7c42af97adb9fda420
                          • Opcode Fuzzy Hash: 6151c845810608b480d9bf83f359a39848c985ed5efb7fa97a134163779d9fa4
                          • Instruction Fuzzy Hash: 461103B58002489FDB10CF99D488BDEBBF8FB48324F24841AE515A7200C374A984CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0091D4C4, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426517940.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54a63474433a30e47acdbe2cd3f0de0bfceaa031ba9a06a2af7e91d536131984
                          • Instruction ID: 733238ece1f6be38fdf543f840cbb0e9a0c1edf6ae51c90e882b0ccfadcdc0fe
                          • Opcode Fuzzy Hash: 54a63474433a30e47acdbe2cd3f0de0bfceaa031ba9a06a2af7e91d536131984
                          • Instruction Fuzzy Hash: 61213A71604248DFDB05DF14D9C0FA6BF6AFB84318F24C969E8050B25AC336D895DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0D1D4, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426826004.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2451a9e0abcde1dd35b9095504d5158c3a90c6fb44f52a845f498b754068c08
                          • Instruction ID: 89550c583bcdd5466505e3b8a251ff85ecb1dcc56144b8c5b34e5389153f4085
                          • Opcode Fuzzy Hash: d2451a9e0abcde1dd35b9095504d5158c3a90c6fb44f52a845f498b754068c08
                          • Instruction Fuzzy Hash: D021F275604244EFDB01DF94D9C0F26BFA5FB84314F24C9ADE8094B2C6C336D856CA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0D01C, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426826004.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ca8f1935f19e42d62a02b8fc6427e6a43b3f1f04ffb510a0b580ce9e38431ab
                          • Instruction ID: 3b42b9f199da86c6e73a16ba73f7103f2b882d93370f90e89a140749b8796ab5
                          • Opcode Fuzzy Hash: 9ca8f1935f19e42d62a02b8fc6427e6a43b3f1f04ffb510a0b580ce9e38431ab
                          • Instruction Fuzzy Hash: A521D075604244DFDB14CFA4D9D4B26BFA5FB84324F24C9A9D80E4B2C6D336D846CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0D006, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426826004.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58ede166f46528a698d4bdd4b5d82554ea2268ce8ad7437717af207d500425d7
                          • Instruction ID: 4695bc2663336ee56401381fa116faded550363731413cd17c5df72a31f3b35d
                          • Opcode Fuzzy Hash: 58ede166f46528a698d4bdd4b5d82554ea2268ce8ad7437717af207d500425d7
                          • Instruction Fuzzy Hash: 822184755083809FCB02CF54D994B11BFB1EB46314F28C5DAD8498F697D33AD85ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0091D4BF, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426517940.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
                          • Instruction ID: 34789691d10bff62e9e965326911ca0e33f7dc1bd4862be54ed1b08613770179
                          • Opcode Fuzzy Hash: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
                          • Instruction Fuzzy Hash: C811E676504284CFCF15CF10D5C4B56BF72FB84324F24C6A9E8450B65AC336D89ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0D1CF, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426826004.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
                          • Instruction ID: 7abda73b7916be9ab4abad2e88009be99505684bf2803963d938b163f67d4d8d
                          • Opcode Fuzzy Hash: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
                          • Instruction Fuzzy Hash: C7118B75504280DFCB11CF54D5C4B15BFA1FB84324F28C6A9D8494B696C33AD85ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0091D745, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426517940.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 392d1ab188ebba1fb475dc106a66d5e476349837784085ec991334dfc27206bc
                          • Instruction ID: e5a16e1ac71669c22fbaa01d5d86fde95d4af1942e3b8e58b1d53ee0ea7d8157
                          • Opcode Fuzzy Hash: 392d1ab188ebba1fb475dc106a66d5e476349837784085ec991334dfc27206bc
                          • Instruction Fuzzy Hash: B501F7B52053489AE7108E65CC84BE7FB9CDF41338F18891AE9081F282D37998C4CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0091D744, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.426517940.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4feb02bf91d19118456267dcc5764b311dd0b89da086552badd0ebf1e54bd1a
                          • Instruction ID: 919de7bb66a8acde6916c8547b90025d5230d4ae91e99990f01f5ee67a839708
                          • Opcode Fuzzy Hash: c4feb02bf91d19118456267dcc5764b311dd0b89da086552badd0ebf1e54bd1a
                          • Instruction Fuzzy Hash: D0F04F75505288AAE7108E15DC88BA3FB9CEB51734F18C45AED085E286C2799C84CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions