Analysis Report PURCHASE ORDER.exe

Overview

General Information

Sample Name: PURCHASE ORDER.exe
Analysis ID: 321194
MD5: 8e2337f7cdd4bcd18e862b7a73734d49
SHA1: 457de2e691794711d257ab9c6315d6f26465ce1a
SHA256: d30629a1a9aad3b8bc1e3827ab767473089214fd801b556f9ed3430f39bacbdd
Tags: exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: PURCHASE ORDER.exe.5140.29.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER.exe Virustotal: Detection: 52% Perma Link
Source: PURCHASE ORDER.exe ReversingLabs: Detection: 54%
Machine Learning detection for sample
Source: PURCHASE ORDER.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack Avira: Label: TR/Inject.vcoldi

Spreading:

barindex
May infect USB drives
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 1_2_00408978
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00408A78 FindFirstFileA,GetLastError, 1_2_00408A78
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_00405B54
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 3_2_00408978
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00408A78 FindFirstFileA,GetLastError, 3_2_00408A78
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00405B54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 7_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 8_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 8_2_00407E0E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49724 -> 166.62.27.57:587
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49740 -> 166.62.27.57:587
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49762 -> 166.62.27.57:587
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49767 -> 166.62.27.57:587
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49724 -> 166.62.27.57:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: Joe Sandbox View IP Address: 166.62.27.57 166.62.27.57
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49724 -> 166.62.27.57:587
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: vbc.exe, 00000008.00000002.268988191.00000000005CE000.00000004.00000040.sdmp, vbc.exe, 00000016.00000003.334066418.000000000095E000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.417414643.0000000000A0E000.00000004.00000001.sdmp String found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000002.268988191.00000000005CE000.00000004.00000040.sdmp, vbc.exe, 00000016.00000003.334066418.000000000095E000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.417414643.0000000000A0E000.00000004.00000001.sdmp String found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: PURCHASE ORDER.exe, vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 194.167.4.0.in-addr.arpa
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: PURCHASE ORDER.exe, 00000002.00000003.243158322.000000000509D000.00000004.00000001.sdmp String found in binary or memory: http://en.wikipedia
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: PURCHASE ORDER.exe, 00000002.00000003.243348763.00000000050C5000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com(
Source: PURCHASE ORDER.exe, 00000002.00000003.243348763.00000000050C5000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.comu
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: PURCHASE ORDER.exe, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.comx&
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comaE
Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comasc
Source: PURCHASE ORDER.exe, 00000002.00000003.248367150.00000000050A2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: PURCHASE ORDER.exe, 00000002.00000003.248367150.00000000050A2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comli
Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comueta
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.243270063.00000000050C5000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.245859149.000000000509E000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PURCHASE ORDER.exe, 00000002.00000003.245859149.000000000509E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn-
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PURCHASE ORDER.exe, 00000002.00000003.244906268.00000000050A1000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnLog
Source: PURCHASE ORDER.exe, 00000002.00000003.244906268.00000000050A1000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnayob
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: PURCHASE ORDER.exe, 00000002.00000003.247452033.0000000005095000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: PURCHASE ORDER.exe, 00000002.00000003.247452033.0000000005095000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0J(
Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/al
Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/icro
Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/L
Source: PURCHASE ORDER.exe, 00000002.00000003.247116127.0000000005094000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ogra
Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: PURCHASE ORDER.exe, 00000002.00000003.247116127.0000000005094000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: PURCHASE ORDER.exe, 00000002.00000003.250146188.00000000050CD000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.249323990.00000000050CC000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: PURCHASE ORDER.exe, 00000002.00000003.248147520.00000000050A4000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.g
Source: vbc.exe, 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: PURCHASE ORDER.exe, 00000002.00000003.245788944.000000000509D000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.
Source: PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;t
Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 00000008.00000002.268988191.00000000005CE000.00000004.00000040.sdmp, vbc.exe, 00000016.00000003.334066418.000000000095E000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.417414643.0000000000A0E000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: PURCHASE ORDER.exe, vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384957063.0000000002FD7000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.comx&
Source: PURCHASE ORDER.exe, vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrom
Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/st
Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004070F2 OpenClipboard, 1_2_004070F2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00422CC4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 1_2_00422CC4
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00423308 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 3_2_00423308
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045E108 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 1_2_0045E108
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Window created: window name: CLIPBRDWNDCLASS
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PURCHASE ORDER.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045AACC NtdllDefWindowProc_A, 1_2_0045AACC
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_0045B248
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_0045B2F8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0044F67C GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 1_2_0044F67C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00433DC8 NtdllDefWindowProc_A, 1_2_00433DC8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0043FF18 NtdllDefWindowProc_A,GetCapture, 1_2_0043FF18
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00490159 NtCreateSection, 2_2_00490159
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0045AACC NtdllDefWindowProc_A, 3_2_0045AACC
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 3_2_0045B248
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 3_2_0045B2F8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 3_2_0044F67C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00433DC8 NtdllDefWindowProc_A, 3_2_00433DC8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0043FF18 NtdllDefWindowProc_A,GetCapture, 3_2_0043FF18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_00408836
Detected potential crypto function
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004551A0 1_2_004551A0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0044F67C 1_2_0044F67C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0040D426 2_2_0040D426
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0040D523 2_2_0040D523
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0041D5AE 2_2_0041D5AE
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00417646 2_2_00417646
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0040D6C4 2_2_0040D6C4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_004429BE 2_2_004429BE
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00446AF4 2_2_00446AF4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0046ABFC 2_2_0046ABFC
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00463C4D 2_2_00463C4D
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00463CBE 2_2_00463CBE
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0040ED03 2_2_0040ED03
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00463D2F 2_2_00463D2F
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00463DC0 2_2_00463DC0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0040CF92 2_2_0040CF92
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0041AFA6 2_2_0041AFA6
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048F13D 2_2_0048F13D
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_00489976 2_2_00489976
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_004F9017 2_2_004F9017
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_004F90A8 2_2_004F90A8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_004A227A 2_2_004A227A
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_004B028E 2_2_004B028E
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0043C7BC 2_2_0043C7BC
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_004551A0 3_2_004551A0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0044F67C 3_2_0044F67C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404DDB 7_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040BD8A 7_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404E4C 7_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404EBD 7_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404F4E 7_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404419 8_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404516 8_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00413538 8_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004145A1 8_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040E639 8_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004337AF 8_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004399B1 8_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0043DAE7 8_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00405CF6 8_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00403F85 8_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00411F99 8_2_00411F99
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 00403648 appears 46 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 0044BA9D appears 35 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 00403A14 appears 62 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 0040674C appears 32 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 004043D8 appears 34 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 0040C464 appears 36 times
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: String function: 004043B4 appears 149 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104
PE file contains strange resources
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PURCHASE ORDER.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000001.00000002.242724374.0000000002160000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe Binary or memory string: OriginalFilename vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe Binary or memory string: OriginalFileName vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000010.00000002.306231588.0000000002490000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000012.00000002.359412017.0000000006F20000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000012.00000002.354017933.00000000022C2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000013.00000002.362746743.00000000022A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 0000001E.00000002.394685072.00000000022B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000021.00000002.399331327.0000000002370000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000021.00000002.400122887.0000000002802000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.443932118.0000000000887000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs PURCHASE ORDER.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Yara signature match
Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmp Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@44/23@20/3
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00420390 GetLastError,FormatMessageA, 1_2_00420390
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00408D0A GetDiskFreeSpaceA, 1_2_00408D0A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 8_2_00411196
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00416B24 FindResourceA,LoadResource,SizeofResource,LockResource, 1_2_00416B24
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A98.tmp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PURCHASE ORDER.exe Virustotal: Detection: 52%
Source: PURCHASE ORDER.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2112
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2112 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbHrs source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\PURCHASE ORDER.PDB+ source: PURCHASE ORDER.exe, 00000022.00000002.444026054.0000000000920000.00000004.00000020.sdmp
Source: Binary string: qt1wsymbols\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp
Source: Binary string: yNqt1wsymbols\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb-uj source: PURCHASE ORDER.exe, 00000022.00000002.444000578.0000000000907000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292378043.0000000000768000.00000004.00000020.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: PURCHASE ORDER.exe, 0000001D.00000002.382476578.0000000000616000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PURCHASE ORDER.exe, 0000001D.00000002.382476578.0000000000616000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\PURCHASE ORDER.PDBw source: PURCHASE ORDER.exe, 0000001D.00000002.389703160.000000000715A000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbORDER.exe source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
Source: Binary string: .pdb* source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbf source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbns\Desktop\PURCHASE ORDER.exe8 source: PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb_ source: PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: oC:\Windows\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: rlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbj source: PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: qt1wsymbols\dll\mscorlib.pdbx source: PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb, source: PURCHASE ORDER.exe, 00000022.00000002.444026054.0000000000920000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PURCHASE ORDER.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359412017.0000000006F20000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000015.00000002.325960552.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbuK source: PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\PURCHASE ORDER.PDBD source: PURCHASE ORDER.exe, 00000002.00000002.292378043.0000000000768000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb@ source: PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 2.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 18.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 29.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 34.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 2.2.PURCHASE ORDER.exe.2410000.3.unpack
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 34.2.PURCHASE ORDER.exe.2390000.3.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 2.2.PURCHASE ORDER.exe.400000.0.unpack
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 18.2.PURCHASE ORDER.exe.400000.0.unpack
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 29.2.PURCHASE ORDER.exe.400000.0.unpack
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Unpacked PE file: 34.2.PURCHASE ORDER.exe.400000.0.unpack
.NET source code contains potential unpacker
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 1_2_00446CD4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00447320 push 004473ADh; ret 1_2_004473A5
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00426024 push 00426050h; ret 1_2_00426048
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00428038 push 00428064h; ret 1_2_0042805C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00466080 push 004660ACh; ret 1_2_004660A4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040C090 push 0040C20Ch; ret 1_2_0040C204
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0046C150 push 0046C1C6h; ret 1_2_0046C1BE
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00450134 push 0045019Fh; ret 1_2_00450197
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040C20E push 0040C27Fh; ret 1_2_0040C277
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040C210 push 0040C27Fh; ret 1_2_0040C277
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004482CC push ecx; mov dword ptr [esp], edx 1_2_004482D0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004262DC push 00426308h; ret 1_2_00426300
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040C2EE push 0040C31Ch; ret 1_2_0040C314
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040C2F0 push 0040C31Ch; ret 1_2_0040C314
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0041A288 push ecx; mov dword ptr [esp], edx 1_2_0041A28A
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00410324 push 00410385h; ret 1_2_0041037D
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00410388 push 00410589h; ret 1_2_00410581
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0042646C push 00426498h; ret 1_2_00426490
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0044856C push ecx; mov dword ptr [esp], edx 1_2_00448570
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00470574 push 004705A0h; ret 1_2_00470598
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0041058C push 004106D0h; ret 1_2_004106C8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040660A push 0040665Dh; ret 1_2_00406655
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0040660C push 0040665Dh; ret 1_2_00406655
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004106A4 push 004106D0h; ret 1_2_004106C8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0043277C push 004327A8h; ret 1_2_004327A0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004067DC push 00406808h; ret 1_2_00406800
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004327EC push 00432818h; ret 1_2_00432810
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004327B4 push 004327E0h; ret 1_2_004327D8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0044884C push 00448878h; ret 1_2_00448870
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00406854 push 00406880h; ret 1_2_00406878
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0043285C push 00432888h; ret 1_2_00432880
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00432824 push 00432850h; ret 1_2_00432848

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_0045AB54
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_004266A4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00442778
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_0045B248
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_0045B2F8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_004415EC IsIconic,GetCapture, 1_2_004415EC
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00457C48
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00441E94
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 3_2_0045AB54
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_004266A4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 3_2_00442778
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 3_2_0045B248
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 3_2_0045B2F8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_004415EC IsIconic,GetCapture, 3_2_004415EC
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 3_2_00457C48
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 3_2_00441E94
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 1_2_00446CD4
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00436808 1_2_00436808
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00436808 3_2_00436808
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened / queried: C:\Windows\system32\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_00408836
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 1_2_0045A128
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 3_2_0045A128
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00436808 3_2_00436808
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6716 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6720 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6728 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 7076 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644 Thread sleep time: -97141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6536 Thread sleep count: 153 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 4572 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5380 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 1412 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 1268 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6740 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -97593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5628 Thread sleep count: 102 > 30
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5220 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5360 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5336 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5340 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5008 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 4204 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 2072 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 248 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6592 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -99797s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98547s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97109s >= -30000s
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172 Thread sleep time: -97000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h 1_2_00470848
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h 3_2_00470848
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 1_2_00408978
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00408A78 FindFirstFileA,GetLastError, 1_2_00408A78
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_00405B54
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 3_2_00408978
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00408A78 FindFirstFileA,GetLastError, 3_2_00408A78
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00405B54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 7_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 8_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 8_2_00407E0E
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00420920 GetSystemInfo, 1_2_00420920
Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: PURCHASE ORDER.exe, 00000022.00000002.443932118.0000000000887000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll//
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process queried: DebugObjectHandle
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0048B6F3
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 1_2_00446CD4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048F412 mov eax, dword ptr fs:[00000030h] 2_2_0048F412
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048F4D0 mov eax, dword ptr fs:[00000030h] 2_2_0048F4D0
Enables debug privileges
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0048B6F3
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048A746 SetUnhandledExceptionFilter, 2_2_0048A746
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0048BBB5
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 2_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0048DD7F
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2112 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_00405D0C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA,GetACP, 1_2_0040AEC4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA, 1_2_00409B48
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA, 1_2_00409B94
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_00405E18
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA, 2_2_0048EA4A
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00405D0C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA,GetACP, 3_2_0040AEC4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA, 3_2_00409B48
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: GetLocaleInfoA, 3_2_00409B94
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00405E18
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00470848 GetSystemTime,ExitProcess,7378B110, 1_2_00470848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 7_2_0040724C
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 1_2_00447320 GetVersion, 1_2_00447320
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: PURCHASE ORDER.exe, 00000001.00000002.242159647.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe
Source: PURCHASE ORDER.exe, 00000002.00000002.292378043.0000000000768000.00000004.00000020.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmp Binary or memory string: r\MsMpeng.exe
Source: PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264672646.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.325960552.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.356703266.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.385265608.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446960963.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6536, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1236, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6928, type: MEMORY
Source: Yara match File source: 38.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 7_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 7_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 7_2_004033D7
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.356703266.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.385265608.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446960963.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6312, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6940, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: PURCHASE ORDER.exe String found in binary or memory: HawkEyeKeylogger
Source: PURCHASE ORDER.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
Source: PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9(r
Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9(r@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9(r@
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp String found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp String found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321194 Sample: PURCHASE ORDER.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 75 mail.iigcest.com 2->75 77 194.167.4.0.in-addr.arpa 2->77 79 2 other IPs or domains 2->79 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 15 other signatures 2->113 14 PURCHASE ORDER.exe 2->14         started        signatures3 process4 signatures5 155 Maps a DLL or memory area into another process 14->155 17 PURCHASE ORDER.exe 14->17         started        19 PURCHASE ORDER.exe 15 6 14->19         started        process6 dnsIp7 23 PURCHASE ORDER.exe 17->23         started        87 mail.iigcest.com 166.62.27.57, 49724, 49740, 49762 AS-26496-GO-DADDY-COM-LLCUS United States 19->87 89 194.167.4.0.in-addr.arpa 19->89 91 2 other IPs or domains 19->91 123 Changes the view of files in windows explorer (hidden files and folders) 19->123 125 Writes to foreign memory regions 19->125 127 Allocates memory in foreign processes 19->127 129 3 other signatures 19->129 26 vbc.exe 1 19->26         started        28 vbc.exe 13 19->28         started        30 dw20.exe 22 6 19->30         started        signatures8 process9 signatures10 139 Maps a DLL or memory area into another process 23->139 32 PURCHASE ORDER.exe 23->32         started        34 PURCHASE ORDER.exe 6 23->34         started        141 Tries to steal Mail credentials (via file registry) 26->141 143 Tries to steal Instant Messenger accounts or passwords 26->143 145 Tries to steal Mail credentials (via file access) 26->145 process11 dnsIp12 38 PURCHASE ORDER.exe 32->38         started        81 mail.iigcest.com 34->81 83 194.167.4.0.in-addr.arpa 34->83 85 whatismyipaddress.com 34->85 115 Writes to foreign memory regions 34->115 117 Allocates memory in foreign processes 34->117 119 Sample uses process hollowing technique 34->119 121 2 other signatures 34->121 41 vbc.exe 34->41         started        43 dw20.exe 34->43         started        45 vbc.exe 34->45         started        signatures13 process14 signatures15 133 Maps a DLL or memory area into another process 38->133 47 PURCHASE ORDER.exe 38->47         started        49 PURCHASE ORDER.exe 38->49         started        135 Tries to steal Instant Messenger accounts or passwords 41->135 137 Tries to steal Mail credentials (via file access) 41->137 process16 dnsIp17 53 PURCHASE ORDER.exe 47->53         started        71 194.167.4.0.in-addr.arpa 49->71 73 whatismyipaddress.com 49->73 105 Installs a global keyboard hook 49->105 56 dw20.exe 49->56         started        signatures18 process19 signatures20 131 Maps a DLL or memory area into another process 53->131 58 PURCHASE ORDER.exe 53->58         started        62 PURCHASE ORDER.exe 53->62         started        process21 dnsIp22 93 mail.iigcest.com 58->93 95 194.167.4.0.in-addr.arpa 58->95 97 whatismyipaddress.com 58->97 147 Writes to foreign memory regions 58->147 149 Allocates memory in foreign processes 58->149 151 Sample uses process hollowing technique 58->151 153 2 other signatures 58->153 64 vbc.exe 58->64         started        67 vbc.exe 58->67         started        69 dw20.exe 58->69         started        signatures23 process24 signatures25 99 Tries to steal Instant Messenger accounts or passwords 64->99 101 Tries to steal Mail credentials (via file access) 64->101 103 Tries to harvest and steal browser information (history, passwords, etc) 67->103
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.155.36
unknown United States
13335 CLOUDFLARENETUS false
166.62.27.57
unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
mail.iigcest.com 166.62.27.57 true
g.msn.com unknown unknown
194.167.4.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    high