Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:299142
MD5:5cdd253f55478b4f888dea022ac557ac
SHA1:3cbf8d7695bceaf7dc0cc0a9afd89b9236b8a5bb
SHA256:25373c7ff4e7a9756a4f17b2459e1fe85b703f4192485ae8222e095f5c08c294
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order.exe (PID: 6448 cmdline: 'C:\Users\user\Desktop\Purchase Order.exe' MD5: 5CDD253F55478B4F888DEA022AC557AC)
    • Purchase Order.exe (PID: 6468 cmdline: 'C:\Users\user\Desktop\Purchase Order.exe' MD5: 5CDD253F55478B4F888DEA022AC557AC)
      • vbc.exe (PID: 6628 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6640 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.256966153.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000003.00000002.262393529.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b9ae:$key: HawkEyeKeylogger
          • 0x7db8c:$salt: 099u787978786
          • 0x7bfbb:$string1: HawkEye_Keylogger
          • 0x7cdfa:$string1: HawkEye_Keylogger
          • 0x7daec:$string1: HawkEye_Keylogger
          • 0x7c390:$string2: holdermail.txt
          • 0x7c3b0:$string2: holdermail.txt
          • 0x7c2d2:$string3: wallet.dat
          • 0x7c2ea:$string3: wallet.dat
          • 0x7c300:$string3: wallet.dat
          • 0x7d6ce:$string4: Keylog Records
          • 0x7d9e6:$string4: Keylog Records
          • 0x7dbe4:$string5: do not script -->
          • 0x7b996:$string6: \pidloc.txt
          • 0x7b9f0:$string7: BSPLIT
          • 0x7ba00:$string7: BSPLIT
          Click to see the 46 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            2.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              2.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                3.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  1.2.Purchase Order.exe.2350000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                  • 0x7b8c6:$key: HawkEyeKeylogger
                  • 0x7daa4:$salt: 099u787978786
                  • 0x7bed3:$string1: HawkEye_Keylogger
                  • 0x7cd12:$string1: HawkEye_Keylogger
                  • 0x7da04:$string1: HawkEye_Keylogger
                  • 0x7c2a8:$string2: holdermail.txt
                  • 0x7c2c8:$string2: holdermail.txt
                  • 0x7c1ea:$string3: wallet.dat
                  • 0x7c202:$string3: wallet.dat
                  • 0x7c218:$string3: wallet.dat
                  • 0x7d5e6:$string4: Keylog Records
                  • 0x7d8fe:$string4: Keylog Records
                  • 0x7dafc:$string5: do not script -->
                  • 0x7b8ae:$string6: \pidloc.txt
                  • 0x7b908:$string7: BSPLIT
                  • 0x7b918:$string7: BSPLIT
                  Click to see the 34 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: Purchase Order.exe.6448.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Purchase Order.exeReversingLabs: Detection: 52%
                  Machine Learning detection for sampleShow sources
                  Source: Purchase Order.exeJoe Sandbox ML: detected
                  Source: 0.2.Purchase Order.exe.4210000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 1.2.Purchase Order.exe.2250000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 1.2.Purchase Order.exe.2250000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 1.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 1.2.Purchase Order.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 1.2.Purchase Order.exe.2350000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 1.2.Purchase Order.exe.2350000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 0.2.Purchase Order.exe.4270000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 0.2.Purchase Order.exe.4270000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 1.2.Purchase Order.exe.21c0000.1.unpackAvira: Label: TR/Inject.vcoldi
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmpBinary or memory string: [autorun]
                  Source: Purchase Order.exeBinary or memory string: [autorun]
                  Source: Purchase Order.exeBinary or memory string: autorun.inf
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004089E8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_004089E8
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00408AE8 FindFirstFileA,GetLastError,0_2_00408AE8
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00405B0C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B0C
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49730 -> 208.91.199.225:587
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 208.91.199.225:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                  Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 208.91.199.225:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                  Source: vbc.exe, 00000003.00000002.263079800.000000000099E000.00000004.00000040.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
                  Source: vbc.exe, 00000003.00000002.263079800.000000000099E000.00000004.00000040.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.262393529.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.262393529.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: Purchase Order.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: unknownDNS traffic detected: queries for: 55.235.10.0.in-addr.arpa
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: Purchase Order.exe, 00000001.00000003.240803854.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: Purchase Order.exe, 00000001.00000003.237135718.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                  Source: Purchase Order.exe, 00000001.00000003.237276331.0000000005015000.00000004.00000001.sdmp, Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Purchase Order.exe, 00000001.00000003.237276331.0000000005015000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comh
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: Purchase Order.exe, 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                  Source: Purchase Order.exeString found in binary or memory: http://whatismyipaddress.com/
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, Purchase Order.exe, 00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: Purchase Order.exe, 00000001.00000003.244581906.000000000501D000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Purchase Order.exe, 00000001.00000003.242247967.0000000004FF2000.00000004.00000001.sdmp, Purchase Order.exe, 00000001.00000003.242572147.0000000004FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Purchase Order.exe, 00000001.00000003.242247967.0000000004FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Purchase Order.exe, 00000001.00000002.508194641.0000000004FE0000.00000004.00000001.sdmp, Purchase Order.exe, 00000001.00000003.242572147.0000000004FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: Purchase Order.exe, 00000001.00000003.242572147.0000000004FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                  Source: Purchase Order.exe, 00000001.00000003.242572147.0000000004FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd(
                  Source: Purchase Order.exe, 00000001.00000002.508194641.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdia
                  Source: Purchase Order.exe, 00000001.00000003.242247967.0000000004FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                  Source: Purchase Order.exe, 00000001.00000002.508194641.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                  Source: Purchase Order.exe, 00000001.00000002.508194641.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttvL
                  Source: Purchase Order.exe, 00000001.00000003.237124736.0000000005015000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Purchase Order.exe, 00000001.00000003.237124736.0000000005015000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comD
                  Source: Purchase Order.exe, 00000001.00000003.237124736.0000000005015000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comM
                  Source: Purchase Order.exe, 00000001.00000003.240154614.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Purchase Order.exe, 00000001.00000003.239146293.0000000004FF1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
                  Source: Purchase Order.exe, 00000001.00000003.239146293.0000000004FF1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnYl=Y
                  Source: Purchase Order.exe, 00000001.00000003.240154614.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnihCY
                  Source: Purchase Order.exe, 00000001.00000003.240154614.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnshUY
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmp, Purchase Order.exe, 00000001.00000003.241494578.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                  Source: Purchase Order.exe, 00000001.00000003.241191106.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-ur
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: Purchase Order.exe, 00000001.00000003.241494578.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ogra
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
                  Source: Purchase Order.exe, 00000001.00000003.241322683.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                  Source: Purchase Order.exe, 00000001.00000003.241191106.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/
                  Source: Purchase Order.exe, 00000001.00000003.241191106.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ubli
                  Source: Purchase Order.exe, 00000001.00000003.243236617.000000000501D000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: vbc.exe, vbc.exe, 00000003.00000002.262393529.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Purchase Order.exe, 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Purchase Order.exe, 00000001.00000002.508301519.0000000005150000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: vbc.exe, 00000003.00000003.261808019.00000000020DC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                  Source: vbc.exe, 00000003.00000003.261808019.00000000020DC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                  Source: vbc.exe, 00000003.00000003.261808019.00000000020DC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                  Source: vbc.exe, 00000003.00000002.263079800.000000000099E000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
                  Source: vbc.exe, 00000003.00000003.261808019.00000000020DC000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                  Source: Purchase Order.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: Purchase Order.exe, 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                  Source: Purchase Order.exe, 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                  Source: Purchase Order.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected HawkEye KeyloggerShow sources
                  Source: Yara matchFile source: 00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.503614926.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.503482089.00000000021C0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.238441155.0000000004307000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.503852912.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.502324995.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6448, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6468, type: MEMORY
                  Source: Yara matchFile source: 1.2.Purchase Order.exe.2350000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Purchase Order.exe.21c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Purchase Order.exe.21c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Purchase Order.exe.4210000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Purchase Order.exe.4270000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Purchase Order.exe.2250000.2.unpack, type: UNPACKEDPE
                  Contains functionality to log keystrokes (.Net Source)Show sources
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,2_2_0040AC8A
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00423B38 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00423B38
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0043EB50 GetKeyboardState,0_2_0043EB50
                  Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6448, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6468, type: MEMORY

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.503614926.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.503614926.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.503482089.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.503482089.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.238441155.0000000004307000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000002.238441155.0000000004307000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.503852912.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.503852912.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.502324995.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.502324995.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.Purchase Order.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.Purchase Order.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.Purchase Order.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.Purchase Order.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.Purchase Order.exe.4210000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.Purchase Order.exe.4210000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Purchase Order.exe
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0045C8E4 NtdllDefWindowProc_A,0_2_0045C8E4
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00441A88 NtdllDefWindowProc_A,GetCapture,0_2_00441A88
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004349C0 NtdllDefWindowProc_A,0_2_004349C0
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0045D060 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045D060
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0045D110 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045D110
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004514B4 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004514B4
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_00490159 NtCreateSection,1_2_00490159
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,3_2_00408836
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0041E4CE0_2_0041E4CE
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00456FB80_2_00456FB8
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004514B40_2_004514B4
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0047376C0_2_0047376C
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0046D9080_2_0046D908
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0040D4261_2_0040D426
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0040D5231_2_0040D523
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0041D5AE1_2_0041D5AE
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004176461_2_00417646
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004429BE1_2_004429BE
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_00446AF41_2_00446AF4
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0046ABFC1_2_0046ABFC
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_00463C4D1_2_00463C4D
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_00463CBE1_2_00463CBE
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0040ED031_2_0040ED03
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_00463D2F1_2_00463D2F
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_00463DC01_2_00463DC0
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0040CF921_2_0040CF92
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0041AFA61_2_0041AFA6
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0048F13D1_2_0048F13D
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004899761_2_00489976
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004F90171_2_004F9017
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004F90A81_2_004F90A8
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004A227A1_2_004A227A
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004B028E1_2_004B028E
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_004A270E1_2_004A270E
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 1_2_0043C7BC1_2_0043C7BC
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404DDB2_2_00404DDB
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040BD8A2_2_0040BD8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404E4C2_2_00404E4C
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404EBD2_2_00404EBD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404F4E2_2_00404F4E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004044193_2_00404419
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045163_2_00404516
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004135383_2_00413538
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004145A13_2_004145A1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040E6393_2_0040E639
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004337AF3_2_004337AF
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004399B13_2_004399B1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043DAE73_2_0043DAE7
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00405CF63_2_00405CF6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00403F853_2_00403F85
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411F993_2_00411F99
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: String function: 0040436C appears 73 times
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: String function: 0044BA9D appears 35 times
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: Purchase Order.exe, 00000000.00000002.238352091.00000000042F2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000000.00000000.232428815.0000000000497000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000000.00000002.235254861.0000000002280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Purchase Order.exe
                  Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
                  Source: Purchase Order.exeBinary or memory string: OriginalFileName vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000001.00000000.233889520.0000000000497000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000001.00000002.504103002.00000000023D2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Purchase Order.exe
                  Source: Purchase Order.exe, 00000001.00000002.510765565.0000000007130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order.exe
                  Source: Purchase Order.exeBinary or memory string: OriginalFilename$ vs Purchase Order.exe
                  Source: 00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.502501367.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.503614926.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.503614926.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.503482089.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.503482089.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.238441155.0000000004307000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000002.238441155.0000000004307000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.503852912.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.503852912.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.502324995.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.502324995.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.506600160.0000000002B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.Purchase Order.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.Purchase Order.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.Purchase Order.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.Purchase Order.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.Purchase Order.exe.4210000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.Purchase Order.exe.4210000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 1.2.Purchase Order.exe.2250000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.2.Purchase Order.exe.2350000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.2.Purchase Order.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/3@4/3
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00420C50 GetLastError,FormatMessageA,0_2_00420C50
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00408D40 GetDiskFreeSpaceA,0_2_00408D40
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,3_2_00411196
                  Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00413DB0 FindResourceA,0_2_00413DB0
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Purchase Order.exe, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: Purchase Order.exe, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: Purchase Order.exe, 00000000.00000002.237882792.0000000004272000.00000040.00000001.sdmp, Purchase Order.exe, 00000001.00000002.507506542.0000000003B41000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.262393529.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: Purchase Order.exe, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: Purchase Order.exe, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: Purchase Order.exe, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: Purchase Order.exe, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: Purchase Order.exeReversingLabs: Detection: 52%
                  Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe 'C:\Users\user\Desktop\Purchase Order.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe 'C:\Users\user\Desktop\Purchase Order.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                  Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe 'C:\Users\user\Desktop\Purchase Order.exe' Jump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Purchase Order.exe
                  Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Purchase Order.exe, vbc.exe
                  Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Purchase Order.exe, vbc.exe

                  Data Obfuscation:

                  barindex
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\Desktop\Purchase Order.exeUnpacked PE file: 1.2.Purchase Order.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                  Detected unpacking (creates a PE file in dynamic memory)Show sources
                  Source: C:\Users\user\Desktop\Purchase Order.exeUnpacked PE file: 1.2.Purchase Order.exe.2350000.3.unpack
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\Purchase Order.exeUnpacked PE file: 1.2.Purchase Order.exe.400000.0.unpack
                  .NET source code contains potential unpackerShow sources
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.Purchase Order.exe.4270000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(Sy