Windows Analysis Report
Purchase order(600010310,10303).exe

Overview

General Information

Sample name: Purchase order(600010310,10303).exe
Analysis ID: 1471984
MD5: 897eed97e49be61757f1a9a4297f669a
SHA1: e7c07af23f6048b8661b3896ab1451ead71552cf
SHA256: 9d3a9d1466d81346ab6324ccd10a855137c6b93ac6fdd6cba5e67621b047fb63
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Purchase order(600010310,10303).exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Avira: detection malicious, Label: HEUR/AGEN.1309691
Found malware configuration
Source: 10.2.Purchase order(600010310,10303).exe.400000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["204.10.160.198:1950"], "Bot Id": "1000", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Virustotal: Detection: 35% Perma Link
Multi AV Scanner detection for submitted file
Source: Purchase order(600010310,10303).exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Purchase order(600010310,10303).exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Purchase order(600010310,10303).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Purchase order(600010310,10303).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 4x nop then jmp 06B002F1h 10_2_06B00040
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 4x nop then jmp 06B0132Ah 10_2_06B00F08
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 4x nop then jmp 06B017AAh 10_2_06B00F08
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 4x nop then jmp 06B00D3Dh 10_2_06B00970
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 4x nop then jmp 06B00D3Dh 10_2_06B0096B
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB698Dh 15_2_07AB66C8
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB9A50h 15_2_07AB9558
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB02F4h 15_2_07AB0040
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB50DAh 15_2_07AB4CB8
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB555Ah 15_2_07AB4CB8
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB718Fh 15_2_07AB6A30
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 4x nop then jmp 07AB400Ah 15_2_07AB3FF2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.7:49702 -> 204.10.160.198:1950
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.7:49702 -> 204.10.160.198:1950
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 204.10.160.198:1950 -> 192.168.2.7:49702
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.7:49704 -> 204.10.160.198:1950
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.7:49704 -> 204.10.160.198:1950
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 204.10.160.198:1950 -> 192.168.2.7:49704
Source: Traffic Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 204.10.160.198:1950 -> 192.168.2.7:49702
Source: Traffic Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 204.10.160.198:1950 -> 192.168.2.7:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 204.10.160.198:1950
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49702 -> 204.10.160.198:1950
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AmEFEED.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1217601631.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000B.00000002.1252261896.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000032C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002BAA000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002CB0000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15V
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000032C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000032C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000033E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002811000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Purchase order(600010310,10303).exe, 0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: Purchase order(600010310,10303).exe, AmEFEED.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary
barindex
.NET source code contains very large array initializations
Source: Purchase order(600010310,10303).exe, frmHome.cs Large array initialization: : array initializer size 632157
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase order(600010310,10303).exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_0183D744 0_2_0183D744
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_03100518 0_2_03100518
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_03100508 0_2_03100508
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_052E3880 0_2_052E3880
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_0583054C 0_2_0583054C
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_05832A60 0_2_05832A60
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_0267DC74 10_2_0267DC74
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_04EDEE58 10_2_04EDEE58
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_04ED8850 10_2_04ED8850
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_04ED0040 10_2_04ED0040
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_04ED001F 10_2_04ED001F
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_04ED8840 10_2_04ED8840
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B0AF48 10_2_06B0AF48
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B00040 10_2_06B00040
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B00EF8 10_2_06B00EF8
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B00F08 10_2_06B00F08
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B079E0 10_2_06B079E0
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B079D0 10_2_06B079D0
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B00970 10_2_06B00970
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_06B0096B 10_2_06B0096B
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_015DD744 11_2_015DD744
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_05212C80 11_2_05212C80
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_057C0518 11_2_057C0518
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_057C0508 11_2_057C0508
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_0773C620 11_2_0773C620
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_0773E2E0 11_2_0773E2E0
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_0773C1E8 11_2_0773C1E8
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_07733F40 11_2_07733F40
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_07733F30 11_2_07733F30
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_07737D50 11_2_07737D50
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_0773BDB0 11_2_0773BDB0
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_0773B978 11_2_0773B978
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_0168DC74 15_2_0168DC74
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB3708 15_2_07AB3708
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB0580 15_2_07AB0580
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB45D8 15_2_07AB45D8
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB9558 15_2_07AB9558
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07ABB48F 15_2_07ABB48F
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB14C0 15_2_07AB14C0
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB7348 15_2_07AB7348
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07ABC238 15_2_07ABC238
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB0040 15_2_07AB0040
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB2FA0 15_2_07AB2FA0
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB7D88 15_2_07AB7D88
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB4CB8 15_2_07AB4CB8
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB6A30 15_2_07AB6A30
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB2960 15_2_07AB2960
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB5890 15_2_07AB5890
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB460A 15_2_07AB460A
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB0570 15_2_07AB0570
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB4CAE 15_2_07AB4CAE
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB2951 15_2_07AB2951
Sample file is different than original file name gathered from version info
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1224325484.0000000005A10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCAA.dll4 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004372000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1228258309.0000000007640000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1217601631.0000000003291000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCAA.dll4 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000000.1198277848.0000000000D92000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1002.exe8 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1215928472.000000000147E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1390289229.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Purchase order(600010310,10303).exe
Source: Purchase order(600010310,10303).exe Binary or memory string: OriginalFilename421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1002.exe8 vs Purchase order(600010310,10303).exe
Uses 32bit PE files
Source: Purchase order(600010310,10303).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Purchase order(600010310,10303).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AmEFEED.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.cs Security API names: _0020.SetAccessControl
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.cs Security API names: _0020.AddAccessRule
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, pT1DulOxAZOYvY6Iyi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/15@0/1
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File created: C:\Users\user\AppData\Roaming\AmEFEED.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File created: C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp Jump to behavior
Source: Purchase order(600010310,10303).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Purchase order(600010310,10303).exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AmEFEED.exe, 0000000F.00000002.1437616304.000000000372F000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, AmEFEED.exe, 0000000F.00000002.1437616304.00000000037BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Purchase order(600010310,10303).exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File read: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\AmEFEED.exe C:\Users\user\AppData\Roaming\AmEFEED.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process created: C:\Users\user\AppData\Roaming\AmEFEED.exe "C:\Users\user\AppData\Roaming\AmEFEED.exe"
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process created: C:\Users\user\AppData\Roaming\AmEFEED.exe "C:\Users\user\AppData\Roaming\AmEFEED.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Purchase order(600010310,10303).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase order(600010310,10303).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Purchase order(600010310,10303).exe, frmMemberLogin.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.cs .Net Code: vsdf08RIiw System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_0310A408 pushfd ; iretd 0_2_0310A40D
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_052E1B4C push eax; retf 0_2_052E1B4D
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_0583E410 push eax; mov dword ptr [esp], edx 0_2_0583E424
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 0_2_058302F7 push esp; ret 0_2_05830301
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Code function: 10_2_04EDD442 push eax; ret 10_2_04EDD451
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_057CA408 pushfd ; iretd 11_2_057CA40D
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_07737405 push 5D906BFDh; ret 11_2_0773741B
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_07730014 push eax; retf 11_2_07730015
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 11_2_077310F8 push edi; retf 11_2_07731116
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB0E78 push es; iretd 15_2_07AB0E84
Source: Purchase order(600010310,10303).exe Static PE information: section name: .text entropy: 7.63325835072001
Source: AmEFEED.exe.0.dr Static PE information: section name: .text entropy: 7.63325835072001
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, isP52MdDaMEy9iv4hA.cs High entropy of concatenated method names: 'RUISHt8Nkv', 'BLYSo09Tr8', 'ArrSMp25pK', 'sLDStk1BUv', 'dSqS1wKNDy', 'GFhSGjybsZ', 'LRaSpVMQfr', 'eYkS9BXsb4', 'GwiSeYKUlw', 'c24ShdQJCy'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, FIKbgEeGLlNSjWbMsr.cs High entropy of concatenated method names: 'O1HDk80jfR', 'YhqDrQ0KZg', 'G9JDHtlcjl', 'uXXDoZswP6', 'y5EDc6yrwY', 'vN5DLN6nGI', 'wxXDaNfTyh', 'ShoDvCZtrG', 'ouEDxdqa5B', 'g2ZDYHY7sc'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, TUZyLY39kqqbo7ymMX.cs High entropy of concatenated method names: 'MQHaquR4od', 'lPOajXdkgQ', 'ToString', 'yhlaOHEsbY', 'FlqabCWZAW', 'WSpaDMFhkS', 'JjUa4of6fl', 'Pi1aKPnJSh', 'UrYaXCO2Px', 'u9waPSWkii'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, d9cBSbjGYsqg6UBKoj.cs High entropy of concatenated method names: 'UyGKA5A58M', 'e94KbuMPQO', 'aT2K44wc2T', 'nbwKXDt4iv', 'DxnKPJJMDC', 'P214yPma5S', 'Woy437vI39', 'fcI4FjXMAu', 'UkO4284osX', 'lC94sUTCjV'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A02lWqFmjR3abltr0q.cs High entropy of concatenated method names: 'L6RWAuoBZJ', 'QHZWOi55eX', 'lixWbWGZIj', 'f00WD2nh2e', 'tvMW44Nxfu', 'YjBWK3b6R2', 'B7fWXivpt5', 'b52WPG8SAI', 'E3HWm8BI6H', 'HbCWqu2T8U'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, mGEDskpTM3VZ3I6Dnv.cs High entropy of concatenated method names: 'FQ9cemDEEB', 'R4Lc7xXeex', 'Ckxc5TC0Y2', 'rb1cTZ2dYD', 'Trgct1lfbp', 'fEWclTkHCq', 'zd4c1nxX1k', 'AqbcGcukNV', 'dL6cRRmeGA', 'xivcp98i1V'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, yrQuwkX28MEWnClaqA.cs High entropy of concatenated method names: 'uPYxiaAgcZ', 'BMKxWkC4Q9', 'NmqxfXBKkJ', 'PBRxOj1Pkx', 'VjOxbriGL6', 'kgDx4FnTqg', 'j3gxKBobeZ', 'sT0vFLEgxS', 'FpSv2QMGwY', 'DY6vsTSIng'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, qmSSbSceWyWraCE9Il.cs High entropy of concatenated method names: 'paBXC46nXv', 'DvfXUJQTIn', 'YtbX0Bojp9', 'UfhXkOyblf', 'znsXNaiFNM', 'p5xXryhkZd', 'OSlX6oNxl4', 'fPfXHsFDmN', 'yBsXo5jfx2', 'kJ6XBBLVhX'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, A2FdtoVw4vWkAwhvme.cs High entropy of concatenated method names: 'n950MLFiC4UAMVjsmgw', 'fUk1f1F3lmWAbZioEpQ', 'y3CKvBPhKr', 'TNWKxB4sVj', 'Rl4KY7AW3p', 'GDdjtMF6agUbTLFZyEy', 'pFrJTXFYOItGIhs7xqs'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, BAm6v79nxUE2ZvZmVg.cs High entropy of concatenated method names: 'Dispose', 'srJisuYHNU', 'IksutwWLo7', 'oJuwwpe0mO', 'O52infigPw', 'LCbizPYfhu', 'ProcessDialogKey', 'aWMudV29rc', 'BQUuiBr6k5', 'FEKuutUV6s'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, TkTbvJwcS9dchRAgmr.cs High entropy of concatenated method names: 'IZTa2jXVjy', 'gmTanNewCU', 'gkWvdhFIKy', 'nF5viri6yg', 'U56ahp75sT', 'RJJa7pKsHT', 'iWhaE44g9U', 'v9ea5qiM5U', 'KGqaT5r5l9', 'ylgaZyR8JY'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, IiTu2yg8PgtOhrQmM7.cs High entropy of concatenated method names: 'bGnvMcTcNp', 'QOQvtjRYGr', 'oSQvlQdmZh', 'yK9v1JBkWS', 'zDYv5S8vl4', 'Vj6vGAXGXM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, ru2oAmzQHFgxYJ5xgF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DLcxSr99IW', 'vlxxc4CHvl', 'osYxLYcAkj', 'RcmxaW0ldu', 'KW7xvtPj4f', 'qiAxx4BbvL', 'uypxYEZUmT'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, J4eFVe8XeevqFh3Fso.cs High entropy of concatenated method names: 'L34iXy8hnr', 'PqwiP3oqIq', 'gPJiqBGpd8', 'v66ijt0X38', 'AxLic0iMcH', 'JiNiLAqpns', 'cwTsEaGOfisDaVysmm', 'YKPpkR5m8gLYOHEG2g', 'hT3iisH3rq', 'OQXiWpv8fv'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, NuGuLguviiltQanZDm.cs High entropy of concatenated method names: 'SP0vOB5hsb', 'DD1vbXWwg5', 'ujJvDgGH5f', 'JWpv4yMgUO', 'lpNvKY1w3h', 'nXQvXClbaO', 'k0QvP3pcvN', 'dBYvmK9l76', 'zaqvqHgCgb', 'vQVvj3fNjW'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, riZVJXa7wnT1c9fehv4.cs High entropy of concatenated method names: 'LL5xCoA4oJ', 'DhqxUSG82T', 'o1Lx0j6VMO', 'KAxxkjOwSQ', 'k0axNZCcbi', 'SW8xrC7Rj3', 'qXkx6IG6Zo', 'NHrxHL4ws4', 'oadxoZkiBZ', 'QeQxBQVwMX'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, uT4hvDaSdvKrhPGgP72.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lTuY5raq2V', 'iB8YTPC05w', 'MHIYZLogt5', 'FqGY8UndWY', 'IxsYygm9mZ', 'W5yY3YnSqX', 'ATRYFHNC4r'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, pT1DulOxAZOYvY6Iyi.cs High entropy of concatenated method names: 'KyHb5o9ku3', 'sB2bTk6d0J', 'iAPbZsmlpr', 'OSub8R0tOk', 'UgabyP4jsW', 'yRIb3wMrAl', 'Aw6bFyPJGp', 'sQKb2ABexP', 'Ah8bsblStq', 'sYrbnOZYk0'
Source: 0.2.Purchase order(600010310,10303).exe.7640000.6.raw.unpack, S2WWDQlbOZhr5MVkMT.cs High entropy of concatenated method names: 'NLo0nEGqx', 'imnkoFmsD', 'lRHr0egFv', 'hVD6A5dE9', 'xeVoL5E90', 'XSVBpFHGw', 'FrkYZTLBRqNS5NQlO9', 'V54YW5lB0qgYeqwUWL', 'TeJvWjWoU', 'nmAYjDBi3'
Drops PE files
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File created: C:\Users\user\AppData\Roaming\AmEFEED.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (15).png
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Purchase order(600010310,10303).exe PID: 1072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AmEFEED.exe PID: 6856, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 15E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 3290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 5290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 7D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 76E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 7D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 2630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 2810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: 4810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 1560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 31C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 51C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 7850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 8850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 8AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 9AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 1680000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 31E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory allocated: 1830000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6514 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 866 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9072 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 444 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Window / User API: threadDelayed 7619 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Window / User API: threadDelayed 2091 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Window / User API: threadDelayed 1454
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Window / User API: threadDelayed 6406
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe TID: 5412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5724 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5292 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe TID: 7448 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe TID: 6500 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe TID: 7620 Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe TID: 6608 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Thread delayed: delay time: 922337203685477
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231LR
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: AmEFEED.exe, 0000000B.00000002.1251429710.0000000001671000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: AmEFEED.exe, 0000000F.00000002.1435468788.0000000001508000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: AmEFEED.exe, 0000000F.00000002.1444389166.000000000444A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1391296367.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: AmEFEED.exe, 0000000F.00000002.1437616304.00000000036F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: AmEFEED.exe, 0000000F.00000002.1444389166.0000000004633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Code function: 15_2_07AB7D88 LdrInitializeThunk, 15_2_07AB7D88
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe"
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe"
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Memory written: C:\Users\user\AppData\Roaming\AmEFEED.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AmEFEED.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp2BEC.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Process created: C:\Users\user\Desktop\Purchase order(600010310,10303).exe "C:\Users\user\Desktop\Purchase order(600010310,10303).exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AmEFEED" /XML "C:\Users\user\AppData\Local\Temp\tmp3AB1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Process created: C:\Users\user\AppData\Roaming\AmEFEED.exe "C:\Users\user\AppData\Roaming\AmEFEED.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Users\user\Desktop\Purchase order(600010310,10303).exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Users\user\Desktop\Purchase order(600010310,10303).exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Users\user\AppData\Roaming\AmEFEED.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Users\user\AppData\Roaming\AmEFEED.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.4299970.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.4299970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Purchase order(600010310,10303).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase order(600010310,10303).exe PID: 1072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase order(600010310,10303).exe PID: 2516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AmEFEED.exe PID: 3604, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.0000000002CB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: Purchase order(600010310,10303).exe, 0000000A.00000002.1392894602.000000000295F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase order(600010310,10303).exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\AmEFEED.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase order(600010310,10303).exe PID: 2516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AmEFEED.exe PID: 3604, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.4299970.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.4299970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase order(600010310,10303).exe.42e4b90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Purchase order(600010310,10303).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1218881149.00000000042DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1218881149.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1392894602.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1390289229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1218881149.0000000004327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1437616304.0000000003276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase order(600010310,10303).exe PID: 1072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase order(600010310,10303).exe PID: 2516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AmEFEED.exe PID: 3604, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1471984 Sample: Purchase order(600010310,10... Startdate: 12/07/2024 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 16 other signatures 2->53 7 Purchase order(600010310,10303).exe 7 2->7         started        11 AmEFEED.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\AmEFEED.exe, PE32 7->37 dropped 39 C:\Users\user\...\AmEFEED.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp2BEC.tmp, XML 7->41 dropped 43 Purchase order(600010310,10303).exe.log, ASCII 7->43 dropped 55 Adds a directory exclusion to Windows Defender 7->55 13 Purchase order(600010310,10303).exe 5 3 7->13         started        17 powershell.exe 23 7->17         started        19 powershell.exe 23 7->19         started        25 2 other processes 7->25 57 Antivirus detection for dropped file 11->57 59 Multi AV Scanner detection for dropped file 11->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->61 63 3 other signatures 11->63 21 AmEFEED.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 45 204.10.160.198, 1950, 49702, 49704 UNREAL-SERVERSUS Canada 13->45 65 Found many strings related to Crypto-Wallets (likely being stolen) 13->65 67 Tries to steal Crypto Currency Wallets 13->67 69 Loading BitLocker PowerShell Module 17->69 27 conhost.exe 17->27         started        29 WmiPrvSE.exe 17->29         started        31 conhost.exe 19->31         started        71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
204.10.160.198
 unknown Canada
64236 UNREAL-SERVERSUS true