Loading ...

Play interactive tourEdit tour

Analysis Report purchase order oct_20_80373592_80373595

Overview

General Information

Sample Name:purchase order oct_20_80373592_80373595 (renamed file extension from none to exe)
Analysis ID:289595
MD5:70a3002b8a40775f4856fc2cc8330b84
SHA1:eef7bac7da1d3a40f6222ddfc08962db40c0e385
SHA256:8dc9d32f21b231d0d1ed00ff04eae170eb680034e4079db1f6e17079ab5aa2f9
Tags:agenttesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
May check the online IP address of the machine
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • purchase order oct_20_80373592_80373595.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe' MD5: 70A3002B8A40775F4856FC2CC8330B84)
    • cmd.exe (PID: 6588 cmdline: 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • chrome.exe (PID: 6772 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe' MD5: 70A3002B8A40775F4856FC2CC8330B84)
    • cmd.exe (PID: 7144 cmdline: 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • chrome.exe (PID: 6008 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe MD5: 70A3002B8A40775F4856FC2CC8330B84)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "2reY6aX8", "URL: ": "https://jQZUo5hfcV00Zbb4MFz.org", "To: ": "sjohne@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "AuVKTOBnwV", "From: ": "sjohne@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.450669539.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.450884129.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.207096174.00000000036DE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.chrome.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.purchase order oct_20_80373592_80373595.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: purchase order oct_20_80373592_80373595.exeAvira: detected
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeAvira: detection malicious, Label: TR/Kryptik.fymyy
                Found malware configurationShow sources
                Source: chrome.exe.6008.9.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "2reY6aX8", "URL: ": "https://jQZUo5hfcV00Zbb4MFz.org", "To: ": "sjohne@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "AuVKTOBnwV", "From: ": "sjohne@yandex.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeReversingLabs: Detection: 47%
                Multi AV Scanner detection for submitted fileShow sources
                Source: purchase order oct_20_80373592_80373595.exeVirustotal: Detection: 44%Perma Link
                Source: purchase order oct_20_80373592_80373595.exeReversingLabs: Detection: 47%
                Source: 9.2.chrome.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 3.2.purchase order oct_20_80373592_80373595.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior

                Networking:

                barindex
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: global trafficTCP traffic: 192.168.2.5:49719 -> 77.88.21.158:587
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: global trafficTCP traffic: 192.168.2.5:49719 -> 77.88.21.158:587
                Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.457678174.0000000002E41000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.459104459.0000000003195000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459613973.0000000002EE7000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.464955824.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.464955824.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                Source: chrome.exe, 00000009.00000003.301087122.000000000622E000.00000004.00000001.sdmpString found in binary or memory: http://crl.mB
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.459104459.0000000003195000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459613973.0000000002EE7000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                Source: chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://gJmQLt.com
                Source: chrome.exe, 00000009.00000002.464955824.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.459042673.0000000003186000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459569001.0000000002ED9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.459042673.0000000003186000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459569001.0000000002ED9000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                Source: chrome.exe, 00000009.00000002.459569001.0000000002ED9000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.459042673.0000000003186000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459569001.0000000002ED9000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org4
                Source: chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.207096174.00000000036DE000.00000004.00000001.sdmp, purchase order oct_20_80373592_80373595.exe, 00000003.00000002.450669539.0000000000402000.00000040.00000001.sdmp, chrome.exe, 00000005.00000002.248112089.00000000045DF000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.450884129.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.457678174.0000000002E41000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                Source: chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459569001.0000000002ED9000.00000004.00000001.sdmpString found in binary or memory: https://jQZUo5hfcV00Zbb4MFz.org
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.457678174.0000000002E41000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: https://jQZUo5hfcV00Zbb4MFz.org0
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464370690.0000000006741000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.464955824.0000000006210000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.458655397.000000000312D000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.459393754.0000000002EA5000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.207096174.00000000036DE000.00000004.00000001.sdmp, purchase order oct_20_80373592_80373595.exe, 00000003.00000002.450669539.0000000000402000.00000040.00000001.sdmp, chrome.exe, 00000005.00000002.248112089.00000000045DF000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.450884129.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.457678174.0000000002E41000.00000004.00000001.sdmp, chrome.exe, 00000009.00000002.457621646.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: purchase order oct_20_80373592_80373595.exe
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 0_2_001260430_2_00126043
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 0_2_023EDF3C0_2_023EDF3C
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 0_2_001220500_2_00122050
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_00A360433_2_00A36043
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_013748603_2_01374860
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_01373D8C3_2_01373D8C
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_0137481F3_2_0137481F
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_0137555F3_2_0137555F
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064B25103_2_064B2510
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064B32703_2_064B3270
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064B2B383_2_064B2B38
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064BB3383_2_064BB338
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064BD3D03_2_064BD3D0
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064BA6E03_2_064BA6E0
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_06637DB83_2_06637DB8
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_066314043_2_06631404
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_00A320503_2_00A32050
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 5_2_00A760435_2_00A76043
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 5_2_0136DF3C5_2_0136DF3C
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 5_2_00A720505_2_00A72050
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_007360439_2_00736043
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_011748609_2_01174860
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_01173D8C9_2_01173D8C
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_011747729_2_01174772
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_011755509_2_01175550
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0117DA439_2_0117DA43
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D195D09_2_05D195D0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D16D409_2_05D16D40
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D176109_2_05D17610
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D169F89_2_05D169F8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D126B89_2_05D126B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0608D3D09_2_0608D3D0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06082C889_2_06082C88
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0608B0909_2_0608B090
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_060825109_2_06082510
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0608A6E09_2_0608A6E0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_007320509_2_00732050
                Source: purchase order oct_20_80373592_80373595.exeBinary or memory string: OriginalFilename vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.210699784.0000000005C50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.210699784.0000000005C50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.210416742.0000000005B60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.204120579.0000000002461000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXRneceIEEWrKODlyeEIFtxx.exe4 vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.203394423.0000000000122000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDesktopSisters.exe4 vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000000.00000002.205573635.0000000003469000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePRIVATESTUB.dll4 vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exeBinary or memory string: OriginalFilename vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.452364200.0000000000BC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.452504281.0000000000EF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.450669539.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXRneceIEEWrKODlyeEIFtxx.exe4 vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.463827846.00000000064D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.451593777.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDesktopSisters.exe4 vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exe, 00000003.00000002.464448410.0000000006910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs purchase order oct_20_80373592_80373595.exe
                Source: purchase order oct_20_80373592_80373595.exeBinary or memory string: OriginalFilenameDesktopSisters.exe4 vs purchase order oct_20_80373592_80373595.exe
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@12/4@8/3
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order oct_20_80373592_80373595.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
                Source: purchase order oct_20_80373592_80373595.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: purchase order oct_20_80373592_80373595.exeVirustotal: Detection: 44%
                Source: purchase order oct_20_80373592_80373595.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe 'C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe'Jump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess created: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exe C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: purchase order oct_20_80373592_80373595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: purchase order oct_20_80373592_80373595.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: purchase order oct_20_80373592_80373595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: DesktopSisters.pdbSHA256 source: purchase order oct_20_80373592_80373595.exe
                Source: Binary string: DesktopSisters.pdb source: chrome.exe, purchase order oct_20_80373592_80373595.exe
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 0_2_00122309 push es; retf 0001h0_2_00122A72
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 0_2_00122050 push es; ret 0_2_00122306
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 0_2_00122050 push es; retf 0001h0_2_00122A72
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_00A32309 push es; retf 0001h3_2_00A32A72
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064B8ECE push es; iretd 3_2_064B8ED0
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_064B835F push edi; retn 0000h3_2_064B8361
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_06635CCC push es; retf 3_2_06635CD8
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_00A32050 push es; ret 3_2_00A32306
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeCode function: 3_2_00A32050 push es; retf 0001h3_2_00A32A72
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 5_2_00A72309 push es; retf 0001h5_2_00A72A72
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 5_2_00A72050 push es; ret 5_2_00A72306
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 5_2_00A72050 push es; retf 0001h5_2_00A72A72
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_00732309 push es; retf 0001h9_2_00732A72
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0117E311 push cs; retf 9_2_0117E312
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0117E92F push ss; retf 9_2_0117E932
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D159E0 push esp; retf 9_2_05D159E1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D169EC pushfd ; retf 9_2_05D169ED
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D16884 push 8405CB66h; retf 9_2_05D16889
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D1737C pushad ; retf 9_2_05D1737D
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_05D17B01 push 680005CBh; retf 9_2_05D17B06
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06088ECF push es; iretd 9_2_06088ED0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086AEB push es; ret 9_2_06086B34
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0608835F push edi; retn 0000h9_2_06088361
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086B77 push es; ret 9_2_06086B80
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086BC3 push es; ret 9_2_06086BCC
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_0608C3ED push dword ptr [eax+esi-75h]; iretd 9_2_0608C406
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086C0F push es; ret 9_2_06086C18
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086C5B push es; ret 9_2_06086C64
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086CA7 push es; ret 9_2_06086CB0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086CF3 push es; ret 9_2_06086CFC
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeCode function: 9_2_06086D3F push es; ret 9_2_06086D48
                Source: initial sampleStatic PE information: section name: .text entropy: 7.61050499625
                Source: initial sampleStatic PE information: section name: .text entropy: 7.61050499625
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the startup folderShow sources
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeJump to dropped file
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe\:Zone.Identifier:$DATAJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
                Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5281).png
                Moves itself to temp directoryShow sources
                Source: c:\users\user\desktop\purchase order oct_20_80373592_80373595.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG405.tmpJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\purchase order oct_20_80373592_80373595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exeProcess information set: NOOPENFILEERRORBOX